Patch Tuesday Microsoft has disclosed 90 flaws in its products – six of which have already been exploited – and four others that are listed as publicly known.

There's another dozen in the list from third-party vendors that are now included in Microsoft's monthly update. Happy August Patch Tuesday, folks.

Of the 102 total bugs listed this month, nine are rated critical – but so far none of those seem to have been found and abused by the bad guys.

So let’s start with the six bugs under active exploitation:

CVE-2024-38189 – a Microsoft Project Remote Code Execution Vulnerability with an 8.8 CVSS rating. The bad news is it's an RCE and was exploited before it issued a fix.

The good news is exploitation requires a couple of security features to be disabled before an attacker can remotely execute code on a victim's machine. Assuming a criminal can find a system that runs macros downloaded from the internet, and also has the block macros from running in Office files from the internet policy disabled, and convinces a victim to open a malicious file, it's game over. Obviously, someone has managed to navigate those hoops, although we have no details on the exploitation, or how widespread it is.

CVE-2024-38178 – a Scripting Engine Memory Corruption Vulnerability that earned a 7.5 CVSS. Microsoft says the attack complexity is high on this one, and it requires the victim to use Edge in Internet Explorer Mode. Apparently some orgs and their websites still really like this dead web browser that Microsoft stopped supporting two years ago.

Once Edge is in Internet Explorer mode, if an attacker can convince the victim to click on a specially crafted URL they can execute remote code on the victim's device.

Redmond credits south Korea's National Cyber Security Center and AhnLab with finding and reporting this vulnerability.

CVE-2024-38193 – a 7.8 rated Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. This one could allow an attacker to gain system privileges.

As Zero Day Initiative's Dustin Childs noted: "These types of bugs are typically paired with a code execution bug to take over a target. Microsoft doesn't provide any indication of how broadly this is being exploited, but considering the source, if it's not in ransomware already, it likely will be soon."

Gen Digital bug hunters Luigino Camastra and Milánek disclosed the flaw to Redmond.

CVE-2024-38106 – a Windows Kernel Elevation of Privilege Vulnerability with a 7.0 CVSS rating.

Exploiting this bug requires an attacker to win a race condition, but Redmond doesn't provide any details about what that race involves. But once that happens the miscreant can gain system privileges. It's been exploited, so patch soon.

CVE-2024-38107 – a 7.8-rated Windows Power Dependency Coordinator Elevation of Privilege Vulnerability. It could also result in system privileges and has been exploited in the wild.

CVE-2024-38213 – a Windows Mark of the Web Security Feature Bypass Vulnerability that earned a 6.5 CVSS rating.

ZDI researcher Peter Girnus found and reported this vulnerability, which allows an attacker to bypass the SmartScreen security feature. It does, however, require the mark to open a malicious file.