Patch Tuesday has passed, and we are now left with what is colloquially known in cybersecurity circles as Exploit Wednesday. This month, that could be more problematic for Windows users than usual as Microsoft confirms four zero-day threats, including one that can bypass a critical Windows security function that helps defend against ransomware attacks.
What Is CVE-2024-38217 And How Does It Help Ransomware Hackers?
Microsoft has confirmed common vulnerabilities and exposures number 38217 of 2024, known as CVE-2024-38217, and it’s a bad one. I mean, that should be taken as a given considering it’s classed as a zero-day vulnerability. By Microsoft’s definition, a zero-day vulnerability is a flaw for which “no official patch or security update has been released.” Microsoft adds that zero-day vulnerabilities “often have high severity levels and are actively exploited.”
In the case of CVE-2024-38217, the vulnerability has been both publicly disclosed and active exploitation detected. This makes it a worst-case scenario, only tempered by the fact that the fix is included in the new Patch Tuesday security update rollout.
So, what threat does it pose specifically? It’s what is known as a security feature bypass vulnerability because it allows an attacker to get around the protections that Mark of the Web provides for Windows users. “This vulnerability allows an attacker to manipulate the security warnings that typically inform users about the risks of opening files from unknown or untrusted sources,” Saeed Abbasi, manager of vulnerability research at the Qualys Threat Research Unit, said. “Similar MoTW bypasses have historically been linked to ransomware attacks, where the stakes are high.”
The Critical Ransomware Threat Facing Windows Users
Only last month, Microsoft issued an advisory for another MotW vulnerability that was being actively exploited, CVE-2024-38213, that was linked to a notorious malware family called DarkGate, used by Ransomware hackers. Satnam Narang, senior staff research engineer at Tenable, warns that, in fact, there are two zero-day vulnerabilities that can bypass security features in this latest Windows security update release. CVE-2024-38226 is a flaw in Microsoft Publisher and could lead to the bypass of important security features that block Microsoft Office macros from running. In both bypass cases, Narang said, “the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226.” Narang urges organizations to put these vulnerabilities at the top of their threat remediation list.