Microsoft has addressed a total of 61 new security flaws in its software as part of its Update Tuesday for May 2024, including two zero-days that have been actively exploited in the wild.
Of the 61 flaws, one was rated critical, 59 were rated important, and one was rated moderate in severity. This is in addition to 30 vulnerabilities resolved in the Chromium-based Edge browser in the past month, including two recently disclosed zero-days (CVE-2024-4671 and CVE-2024-4761) that have been flagged as being used in attacks.
The two security flaws that are armed in the wild are below –
- CVE-2024-30040 (CVSS Score: 8.8) – Windows MSHTML Platform Security Bypass Vulnerability
- CVE-2024-30051 (CVSS Score: 7.8) – Elevation of privilege vulnerability in the Windows Desktop Window Manager (DWM) core library
“An unauthorized attacker who successfully exploited this vulnerability could obtain code execution by convincing a user to open a malicious document, at which point the attacker could execute arbitrary code in the user’s context,” the tech giant said in an advisory for CVE-2024 -30040.
However, successful exploitation requires an attacker to convince a user to load a specially crafted file into a vulnerable system, distributed either via email or instant message, and trick them into manipulating it. Interestingly, the victim does not have to click or open the malicious file to activate the infection.
On the other hand, CVE-2024-30051 could allow a threat to gain SYSTEM privileges. Three groups of researchers from Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group and Mandiant are credited with discovering and reporting the flaw, which indicates likely widespread use.
“We’ve seen it used alongside QakBot and other malware, and we believe multiple threats have access to it,” said Kaspersky researchers Boris Larin and Mert Degirmenzi.
Both vulnerabilities have been added by the US Cybersecurity and Infrastructure Security Agency (CISA) to its catalog of known exploited vulnerabilities (KEV), requiring federal agencies to apply the latest patches by June 4, 2024.
Microsoft has also resolved several remote code execution bugs, including nine affecting the Windows Mobile Broadband Driver and seven affecting the Windows Routing and Remote Access Service (RRAS).
Other notable flaws include privilege escalation flaws in the Common Log File System (CLFS) driver – CVE-2024-29996, CVE-2024-30025 (CVSS scores: 7.8), and CVE-2024-30037 (CVSS scores: 7.5) – Win32k (CVE-2024-30028 and CVE-2024-30030, CVSS Score: 7.8), Windows Search Service (CVE-2024-30033, CVSS Score: 7.0), and Windows Kernel (CVE-2024-30018, CVSS score: 7.8) .
In March 2024, Kaspersky revealed that threat actors are actively trying to exploit already fixed privilege escalation flaws in various Windows components due to the fact that “it’s a very easy way to get a quick NT AUTHORITY\SYSTEM”.
Akamai further outlined a new privilege escalation technique affecting Active Directory (AD) environments that takes advantage of the DHCP Administrators group.
“In cases where the DHCP server role is installed on a domain controller (DC), this may allow them to gain domain administrator privileges,” the company notes. “In addition to providing a privilege escalation primitive, the same technique can also be used to create a hidden domain resilience mechanism.
The list ends with a security feature bypass vulnerability (CVE-2024-30050, CVSS score: 5.4) affecting the Windows Mark-of-the-Web (MotW), which can be exploited by a malicious file to evade the security.
Software patches from other vendors
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to fix several vulnerabilities including –
