Microsoft May Patch Tuesday fixes two actively exploited zero days
Microsoft has fixed 60 Windows CVEs in its May Patch Tuesday update, two of which are actively exploited zero days. One is a critical vulnerability, earning an 8.8 CVSS rating.
Among the most serious vulnerabilities patched in the May update is a remote code execution (RCE) fault in SharePoint Server (CVE-2024-30044, CVSS 8.8). It allows an unauthenticated attacker to inject arbitrary code followed by specific API calls to trigger deserialisation of the file's parameters.
Kev Breen, senior director threat research at Immersive Labs, said an attacker with code execution or even privileged access to a company SharePoint server "could launch further attacks or move laterally in the network by modifying files with Trojaned versions or in the case of a document store gain access to large volumes of sensitive information."
However, noted, Satnam Narang, senior staff research engineer at Tenable, exploitation is not straightforward as it requires the attacker to have "Site Owner" permissions (or higher) with additional steps required to exploit this flaw, "which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance."
CVE-2024-30051 is an elevation of privilege zero day bug in Windows DWM core library with a 7.8 CVSS severity rating. DWM is responsible for drawing everything on the display of a Windows system. According to researchers from Kaspersky team, it is being used by several groups to deploy modified versions of the Qakbot banking Trojan. QakBot is widely used to deploy ransomware and other malware.
Saeed Abbasi, product manager vulnerability research, Qualys Threat Research Unit, described the bug as a "vital security threat" because it allows attackers to gain System privileges.
"Exploitation is feasible with low attack complexity and no user interaction, increasing the likelihood of widespread attacks," he said. "The involvement of multiple recognised security researchers highlights the importance of this vulnerability in security circles, which could lead to increased attempts at exploitation.
Narang noted that "CVE-2024-30051 is the second DWM core library zero day that was exploited in the wild in at least the last six months." Microsoft patched CVE-2023-36033 in November 2023. The company provided no detail about how the latest bug is being exploited, nor by whom.
The other zero day patched this month is CVE-2024-30040, a security feature bypass bug in Windows MSHTML, which received an 8.8 CVSS score. An attacker could use social engineering to persuade a victim to load a malicious file, then bypass OLE mitigations in Microsoft 365 and Office to execute code. This bug is being actively exploited, but again Microsoft has not provided details.
Breen said that fixing CVE-2024-30040 should be a priority, but criticised Microsoft's disclosure as "painfully obtuse".
"The confusing part is Microsoft's statement that an attacker must 'convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file.' This statement can make it hard for security teams to create robust detection rules without knowing exactly what is required."
Microsoft also released updated patches for three Windows Remote Access Connection Manager information disclosure vulnerabilities originally published in April 2024: CVE-2024-26207, CVE-2024-26217, and CVE-2024-28902. Microsoft states that an unspecified regression introduced by the April patches is resolved by installation of the May patches.
Amid a slew of other third-party updates, administrators are advised to update all browsers, particularly Firefox and Chrome in which critical vulnerabilities were recently patched. macOS also received an important fix on 13th May.