Microsoft has addressed a complete of 61 new safety flaws in its software program as a part of its Patch Tuesday updates for Might 2024, together with two zero-days which have been actively exploited within the wild.
Of the 61 flaws, one is rated Important, 59 are rated Vital, and one is rated Average in severity. That is along with 30 vulnerabilities resolved within the Chromium-based Edge browser over the previous month, together with two not too long ago disclosed zero-days (CVE-2024-4671 and CVE-2024-4761) which have been tagged as exploited in assaults.
The 2 safety shortcomings which have been weaponized within the wild are under –
- CVE-2024-30040 (CVSS rating: 8.8) – Home windows MSHTML Platform Safety Function Bypass Vulnerability
- CVE-2024-30051 (CVSS rating: 7.8) – Home windows Desktop Window Supervisor (DWM) Core Library Elevation of Privilege Vulnerability
“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user,” the tech big mentioned in an advisory for CVE-2024-30040.
Nonetheless, profitable exploitation requires an attacker to persuade the consumer to load a specifically crafted file onto a weak system, distributed both through electronic mail or an prompt message, and trick them into manipulating it. Curiously, the sufferer does not must click on or open the malicious file to activate the an infection.
Alternatively, CVE-2024-30051 may enable a menace actor to realize SYSTEM privileges. Three teams of researchers from Kaspersky, DBAPPSecurity WeBin Lab, Google Risk Evaluation Group, and Mandiant have been credited with discovering and reporting the flaw, indicating doubtless widespread exploitation.
“We’ve got seen it used along with QakBot and different malware, and consider that a number of menace actors have entry to it,” Kaspersky researchers Boris Larin and Mert Degirmenci mentioned.
Each vulnerabilities have been added by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring federal companies to use the most recent fixes by June 4, 2024.
Additionally resolved by Microsoft are a number of distant code execution bugs, together with 9 impacting Home windows Cell Broadband Driver and 7 affecting Home windows Routing and Distant Entry Service (RRAS).
Different notable flaws embody privilege escalation flaws within the Widespread Log File System (CLFS) driver – CVE-2024-29996, CVE-2024-30025 (CVSS scores: 7.8), and CVE-2024-30037 (CVSS rating: 7.5) – Win32k (CVE-2024-30028 and CVE-2024-30030, CVSS scores: 7.8), Home windows Search Service (CVE-2024-30033, CVSS rating: 7.0), and Home windows Kernel (CVE-2024-30018, CVSS rating: 7.8).
In March 2024, Kaspersky revealed that menace actors are trying to actively exploit now-patched privilege escalation flaws in varied Home windows elements owing to the truth that “it’s a very easy way to get a quick NT AUTHORITYSYSTEM.”
Akamai has additional outlined a brand new privilege escalation approach affecting Lively Listing (AD) environments that takes benefit of the DHCP directors group.
“In cases where the DHCP server role is installed on a Domain Controller (DC), this could enable them to gain domain admin privileges,” the corporate famous. “Along with offering a privilege escalation primitive, the identical approach may be used to create a stealthy area persistence mechanism.
Rounding off the record is a safety function bypass vulnerability (CVE-2024-30050, CVSS rating: 5.4) impacting Home windows Mark-of-the-Internet (MotW) that could possibly be exploited by the use of a malicious file to evade defenses.
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
