Microsoft May Patch Tuesday Fixes Two Actively Exploited Zero Days

An expert called one of the vulnerabilities a "vital security threat"

John Leonard
clock • 3 min read
Microsoft May Patch Tuesday Fixes Two Actively Exploited Zero Days

Microsoft has fixed 60 Windows CVEs in its May Patch Tuesday update, two of which are actively exploited zero days. One is a critical vulnerability, earning an 8.8 CVSS rating.

Among the most serious vulnerabilities patched in the May update is a remote code execution (RCE) fault in SharePoint Server (CVE-2024-30044, CVSS 8.8). It allows an unauthenticated attacker to inject arbitrary code followed by specific API calls to trigger deserialization of the file's parameters.

Kev Breen, senior director threat research at Immersive Labs, said an attacker with code execution or even privileged access to a company SharePoint server "could launch further attacks or move laterally in the network by modifying files with Trojaned versions or in the case of a document store gain access to large volumes of sensitive information."

However, noted, Satnam Narang, senior staff research engineer at Tenable, exploitation is not straightforward as it requires the attacker to have "Site Owner" permissions (or higher) with additional steps required to exploit this flaw, "which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance."

CVE-2024-30051 is an elevation of privilege zero-day bug in Windows DWM core library with a 7.8 CVSS severity rating. DWM is responsible for drawing everything on the display of a Windows system. According to researchers from Kaspersky team, it is being used by several groups to deploy modified versions of the Qakbot banking Trojan. QakBot is widely used to deploy ransomware and other malware.

Saeed Abbasi, product manager vulnerability research, Qualys Threat Research Unit, described the bug as a "vital security threat" because it allows attackers to gain System privileges.

"Exploitation is feasible with low attack complexity and no user interaction, increasing the likelihood of widespread attacks," he said. "The involvement of multiple recognized security researchers highlights the importance of this vulnerability in security circles, which could lead to increased attempts at exploitation.

Narang noted that "CVE-2024-30051 is the second DWM core library zero day that was exploited in the wild in at least the last six months." Microsoft patched CVE-2023-36033 in November 2023. The company provided no detail about how the latest bug is being exploited, nor by whom.

The other zero day patched this month is CVE-2024-30040, a security feature bypass bug in Windows MSHTML, which received an 8.8 CVSS score. An attacker could use social engineering to persuade a victim to load a malicious file, then bypass OLE mitigations in Microsoft 365 and Office to execute code. This bug is being actively exploited, but again Microsoft has not provided details.

Breen said that fixing CVE-2024-30040 should be a priority but criticized Microsoft's disclosure as "painfully obtuse."

"The confusing part is Microsoft's statement that an attacker must 'convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file.' This statement can make it hard for security teams to create robust detection rules without knowing exactly what is required."

Microsoft also released updated patches for three Windows Remote Access Connection Manager information disclosure vulnerabilities originally published in April 2024: CVE-2024-26207, CVE-2024-26217, and CVE-2024-28902. Microsoft states that an unspecified regression introduced by the April patches is resolved by installation of the May patches.

Amid a slew of other third-party updates, administrators are advised to update all browsers, particularly Firefox and Chrome in which critical vulnerabilities were recently patched. MacOS also received an important fix on May 13.

This article originally appeared on our sister site Computing

You may also like
The 2024 MES Midmarket 100: Top Companies Serving The Midmarket

MES Research

MES Computing is proud to present this year's list of the key vendors and service providers serving the midmarket.

clock 07-15-2024 • 1 hour 20 min read
Access Point: Weekly News Roundup For IT Executives – July 12, 2024


Access Point is a weekly roundup of major tech news for IT executives on the go. This edition covers July 8-July 12.

clock 07-12-2024 • 1 min read
Mammoth Microsoft Patch Tuesday Fixes Four Zero-Days, Five Critical Bugs


142 holes plugged this month

clock 07-12-2024 • 3 min read

More on Software

Google Is No Longer Supporting Entrust TLS Certificates. What You Need To Know

Google Is No Longer Supporting Entrust TLS Certificates. What You Need To Know

Support ceases Nov. 1.

Samara Lynn
clock 07-10-2024 • 5 min read
Auvik's On A Mission To Bring 'Frictionless IT' To The Midmarket: CEO Interview

Auvik's On A Mission To Bring 'Frictionless IT' To The Midmarket: CEO Interview

"There are a lot of ways that we can assist with the day-to-day life of an IT manager."

Samara Lynn
clock 06-28-2024 • 7 min read
How Contact-Center-As-A-Service Providers Are Leveraging AI To Enhance CX

How Contact-Center-As-A-Service Providers Are Leveraging AI To Enhance CX

Contact Center-as-a-Service (CCaaS) providers have been actively integrating AI into their platforms.

Samara Lynn
clock 06-24-2024 • 2 min read