Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws

At present is Microsoft’s Might 2024 Patch Tuesday, which incorporates safety updates for 61 flaws and three actively exploited or publicly disclosed zero days.

This Patch Tuesday solely fixes one crucial vulnerability, a Microsoft SharePoint Server Distant Code Execution Vulnerability.

The variety of bugs in every vulnerability class is listed under:

• 17 Elevation of Privilege Vulnerabilities
• 2 Safety Characteristic Bypass Vulnerabilities
• 27 Distant Code Execution Vulnerabilities
• 7 Data Disclosure Vulnerabilities
• 3 Denial of Service Vulnerabilities
• 4 Spoofing Vulnerabilities

The entire rely of 61 flaws doesn’t embrace 2 Microsoft Edge flaws fastened on Might 2nd and 4 fastened on Might tenth.

To study extra in regards to the non-security updates launched as we speak, you possibly can evaluate our devoted articles on the brand new Home windows 11 KB5037771 cumulative replace and the Home windows 10 KB5037768 replace.

Three zero-days fastened

This month’s Patch Tuesday fixes two actively exploited and one publicly disclosed zero-day vulnerabilities.

Microsoft classifies a zero-day as a flaw publicly disclosed or actively exploited with no official repair out there.

The 2 actively exploited zero-day vulnerabilities in as we speak’s updates are:

CVE-2024-30040 – Home windows MSHTML Platform Safety Characteristic Bypass Vulnerability

Microsoft has fastened an actively exploited bypass to OLE mitigations, which have been added to Microsoft 365 and Microsoft Workplace to guard customers from susceptible COM/OLE controls.

“An attacker must persuade the person to load a malicious file onto a susceptible system, sometimes by the use of an enticement in an E mail or Immediate Messenger message, after which persuade the person to control the specifically crafted file, however not essentially click on or open the malicious file,” explains Microsoft.

“An unauthenticated attacker who efficiently exploited this vulnerability may acquire code execution by means of convincing a person to open a malicious doc at which level the attacker may execute arbitrary code within the context of the person,” continued Microsoft.

It just isn’t recognized how the flaw was abused in assaults or who found it.

CVE-2024-30051 – Home windows DWM Core Library Elevation of Privilege Vulnerability

Microsoft has fastened an actively exploited Home windows DWM Core Library flaw that gives SYSTEM privileges.

“An attacker who efficiently exploited this vulnerability may acquire SYSTEM privileges,” explains Microsoft.

Kaspersky states that current Qakbot malware phishing assaults used malicious paperwork to take advantage of the flaw and acquire SYSTEM privileges on Home windows units.

Microsoft stated the flaw was disclosed by the next researchers: Mert Degirmenci and Boris Larin with Kaspersky, Quan Jin with DBAPPSecurity WeBin Lab Guoxian Zhong with DBAPPSecurity WeBin Lab, and Vlad Stolyarov and Benoit Sevens of Google Risk Evaluation Group Bryce Abdo and Adam Brunner of Google Mandiant.

Microsoft states that the CVE-2024-30051 was additionally publicly disclosed, nevertheless it’s unclear the place that was accomplished. As well as, Microsoft says a denial of service flaw in Microsoft Visible Studio tracked as CVE-2024-30046 was publicly disclosed as properly.

Current updates from different corporations

Different distributors who launched updates or advisories in Might 2024 embrace:

Sadly, we are going to not be linking to SAP’s Patch Tuesday safety updates as they’ve positioned them behind a buyer login.

The Might 2024 Patch Tuesday Safety Updates

Under is the entire listing of resolved vulnerabilities within the Might 2024 Patch Tuesday updates.

To entry the complete description of every vulnerability and the methods it impacts, you possibly can view the full report right here.