As part of the May 2024 Patch Tuesday update, Microsoft has addressed a total of 61 new security vulnerabilities in its software, including two widely exploited zero-day vulnerabilities.
Of the 61 defects, 1 defect was rated as Critical, 59 defects were rated as Important, and 1 defect was rated as Moderate. Over the past month, the Chromium-based Edge browser has addressed 30 vulnerabilities, including two recently disclosed zero-day vulnerabilities (CVE-2024-4671 and CVE-2024-4761) that have been flagged as being exploited in attacks. use.
Two security flaws that have been weaponized in the wild are as follows:
- CVE-2024-30040 (CVSS Rating: 8.8) – Windows MSHTML Platform Security Feature Bypass Vulnerability
- CVE-2024-30051 (CVSS score: 7.8) – Windows Desktop Window Manager (DWM) core library elevation of privilege vulnerability
“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution privileges by convincing a user to open a malicious file, at which point the attacker would be able to execute arbitrary code.
However, successful exploitation of the vulnerability would require an attacker to convince users to load a specially crafted file onto a vulnerable system, distribute it via email or instant message, and trick them into operating on it. Interestingly, victims do not have to click or open the malicious archive to initiate the infection.
CVE-2024-30051, on the other hand, could allow threat actors to gain system privileges. Three teams of researchers from Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group, and Mandiant discovered and reported the vulnerability, indicating that it could be widely exploited.
“We have seen it used with QakBot and other malware and believe multiple threat actors have access to it,” Kaspersky researchers Boris Larin and Mert Degirmenci said.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the two vulnerabilities to its Known Exploitable Vulnerabilities (KEV) catalog, requiring federal agencies to apply the latest fixes by June 4, 2024.
Microsoft also resolved multiple remote code execution bugs, including nine bugs affecting the Windows Mobile Broadband driver and seven bugs affecting the Windows Routing and Remote Access Service (RRAS).
Other notable flaws include privilege escalation flaws in the Common Journal File System (CLFS) driver – CVE-2024-29996, CVE-2024-30025 (CVSS score: 7.8), and CVE-2024-30037 (CVSS score: 7.5) – Win32k (CVE-2024-30028 and CVE-2024-30030, CVSS score: 7.8), Windows Search Service (CVE-2024-30033, CVSS score: 7.0), and Windows Core (CVE-2024-30018, SS87.).
In March 2024, Kaspersky revealed that threat actors were trying to actively exploit now-patched privilege escalation flaws in various Windows components because “it’s a very easy way to get a quick NT AUTHORITY\SYSTEM.”
Akamai further outlined a new privilege escalation technique affecting Active Directory (AD) environments that leverages the DHCP Administrators group.
“If the DHCP server role is installed on a domain controller (DC), this may allow them to gain domain administrative rights,” the company notes. “In addition to providing privilege escalation primitives, the same technology can also be used to Create a stealth domain persistence mechanism.”
The last one is a security feature bypass vulnerability (CVE-2024-30050, CVSS score: 5.4) affecting Windows Mark-of-the-Web (MotW), which can be exploited through malicious files to evade defenses.
Microsoft, which has been heavily criticized recently for a series of security breaches that allowed state actors in China and Russia to compromise its infrastructure, has instituted a series of measures to prioritize security over all other product features as part of its security program .
“In addition, we will instill accountability based on a portion of the company’s senior leadership team’s compensation based on our progress toward security initiatives and milestones,” said Charlie Bell, executive vice president of security at Microsoft.
Software patches from other vendors
In addition to Microsoft, other vendors have released security updates over the past few weeks to fix multiple vulnerabilities, including:
