Microsoft Could 2024 Patch Tuesday fixes 3 zero-days, 61 flaws

At the moment is Microsoft’s Could 2024 Patch Tuesday, which incorporates safety updates for 61 flaws and three actively exploited or publicly disclosed zero days.

This Patch Tuesday solely fixes one crucial vulnerability, a Microsoft SharePoint Server Distant Code Execution Vulnerability.

The variety of bugs in every vulnerability class is listed beneath:

• 17 Elevation of Privilege Vulnerabilities
• 2 Safety Characteristic Bypass Vulnerabilities
• 27 Distant Code Execution Vulnerabilities
• 7 Data Disclosure Vulnerabilities
• 3 Denial of Service Vulnerabilities
• 4 Spoofing Vulnerabilities

The overall rely of 61 flaws doesn’t embrace 2 Microsoft Edge flaws mounted on Could 2nd and 4 mounted on Could tenth.

To study extra in regards to the non-security updates launched at the moment, you possibly can overview our devoted articles on the brand new Home windows 11 KB5037771 cumulative replace and the Home windows 10 KB5037768 replace.

Three zero-days mounted

This month’s Patch Tuesday fixes two actively exploited and one publicly disclosed zero-day vulnerabilities.

Microsoft classifies a zero-day as a flaw publicly disclosed or actively exploited with no official repair accessible.

The 2 actively exploited zero-day vulnerabilities in at the moment’s updates are:

CVE-2024-30040 – Home windows MSHTML Platform Safety Characteristic Bypass Vulnerability

Microsoft has mounted an actively exploited bypass to OLE mitigations, which had been added to Microsoft 365 and Microsoft Workplace to guard customers from weak COM/OLE controls.

“An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” explains Microsoft.

“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user,” continued Microsoft.

It isn’t recognized how the flaw was abused in assaults or who found it.

CVE-2024-30051 – Home windows DWM Core Library Elevation of Privilege Vulnerability

Microsoft has mounted an actively exploited Home windows DWM Core Library flaw that gives SYSTEM privileges.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” explains Microsoft.

Kaspersky states that latest Qakbot malware phishing assaults used malicious paperwork to use the flaw and achieve SYSTEM privileges on Home windows gadgets.

Microsoft stated the flaw was disclosed by the next researchers: Mert Degirmenci and Boris Larin with Kaspersky, Quan Jin with DBAPPSecurity WeBin Lab Guoxian Zhong with DBAPPSecurity WeBin Lab, and Vlad Stolyarov and Benoit Sevens of Google Risk Evaluation Group Bryce Abdo and Adam Brunner of Google Mandiant.

Microsoft states that the CVE-2024-30051 was additionally publicly disclosed, but it surely’s unclear the place that was finished. As well as, Microsoft says a denial of service flaw in Microsoft Visible Studio tracked as CVE-2024-30046 was publicly disclosed as properly.

Current updates from different corporations

Different distributors who launched updates or advisories in Could 2024 embrace:

Sadly, we’ll not be linking to SAP’s Patch Tuesday safety updates as they’ve positioned them behind a buyer login.

The Could 2024 Patch Tuesday Safety Updates

Beneath is the entire listing of resolved vulnerabilities within the Could 2024 Patch Tuesday updates.

To entry the complete description of every vulnerability and the methods it impacts, you possibly can view the full report right here.