Windows update patches critical remote code execution flaws

Microsoft released the August Windows Update, patching several vulnerabilities that allow remote code execution as an administrator without authentication. Although these issues ostensibly affect optional functions, they pose a threat in various scenarios.

The first vulnerability is CVE-2024-38140, which allows remote code execution through the Pragmatic General Multicast (PGM) service at the network service level. Once again, the RMCAST protocol driver has proven to be susceptible. PGM is active only when the MSMQ service is used in Windows and is turned off by default. MSMQ frequently appears on vulnerability lists.

The second issue is in LPD's print handling, identified as CVE-2024-38199. This vulnerability enables remote code execution without requiring initial privileges. Like MSMQ, LPD is not installed by default and has been marked for removal from the system for 12 years. However, LPD can still be activated in the latest versions, including 24H2, for compatibility reasons.

Another serious problem is found in handling the IPv6 protocol (CVE-2024-38063). Sending specially crafted IPv6 packets to Windows enables remote code execution on a remote system, even if no services are listening on the system. The system firewall does not protect against this vulnerability, as it lies deeper in the network handling itself.

This is a very serious issue, as vulnerabilities usually affect services, not the network handling mechanism itself. It is important to note that even if IPv6 is not actively used, it is enabled by default for every network connection. To disable it, you must uncheck the protocol in the connection properties.

The poorly described vulnerability CVE-2024-38160 is related to escaping from a virtual machine. According to the summary, it is possible to interact with other machines. Microsoft recommends disabling Hyper-V and its dependent services, though one of the dependent functions is VBS, or core isolation.

Once an optional feature, core isolation has been a mandatory virtualization-based security feature since the release of Windows 11. It requires compatible drivers and processors. The system operates in Windows 10 mode on older hardware without core isolation.

Microsoft now recommends disabling this feature for increased security. However, the vulnerability only affects Windows Server 2016 and Windows 10 Enterprise LTSC 2016, where VBS was never enabled by default. Newer versions, including Windows 11, where VBS is mandatory, are not vulnerable, and the loophole does not affect them. Such a case is rare.

The August security bulletins are richer in detail than usual. They include information about vulnerabilities in the grub2 package of the Red Hat Enterprise Linux system (due to unique risk analysis regarding Secure Boot) and mitigation of a complex attack using Windows Update. The vulnerability, named "Windows Downdate," allows remote installation of an older, vulnerable version of security patches for later exploitation.

The latest update for Windows 11 is 773 megabytes, while the update for Windows 10 is 688MB, though prerequisite packages are needed. Interestingly, Windows Server 2008, whose extended support ended 4.5 years ago and paid support ended 1.5 years ago, still receives updates. Despite Azure support ending in January, the KB5041850 update, built on August 10, 2024, includes version 6.0.6003.22814 of the Windows Vista kernel.