Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Microsoft rolls out 61 Patch Tuesday updates, warns of three zero-day bugs

Microsoft urges users to beware of at least one vulnerability being actively exploited in the wild.

user icon David Hollingworth
Wed, 15 May 2024
Microsoft rolls out 61 Patch Tuesday updates, warns of three zero-day bugs
expand image

Microsoft has released more than 60 patches this Patch Tuesday, including three zero-day vulnerabilities – one of which is being actively exploited.

CVE-2024-30051 is an elevation of privilege vulnerability in the Windows Desktop Windows Manager Core Library. This vulnerability grants full SYSTEM privileges upon successful exploitation.

CVE-2024-30046 is a denial-of-service flaw in Visual Studio, but one that needs a highly complex attack to win a particular race condition.

============
============

Lastly, CVE-2024-30040 is a security feature bypass vulnerability in Microsoft 365 and Office and has been observed being actively exploited. Any unpatched assets are vulnerable to this bug, so this one needs urgent attention.

Adam Barnett, Rapid7’s lead software engineer, was able to walk us through what makes the vulnerabilities tick.

“The first of today’s zero-day vulnerabilities is CVE-2024-30051, an elevation of privilege (EoP) vulnerability in the Windows Desktop Windows Manager (DWM) Core Library, which is listed on the CISA KEV list,” Barnett said.

“Successful exploitation grants SYSTEM privileges. First introduced as part of Windows Vista, DWM is responsible for drawing everything on the display of a Windows system. Courtesy of Microsoft’s recent enhancement of their security advisories to include Common Weakness Enumeration (CWE) data, the mechanism of exploitation is listed as CVE-122: Heap-based Buffer Overflow, which is just the sort of defect which recent US federal government calls for memory-safe software development are designed to address.

“The Windows MSHTML platform’s advisory (CVE-2024-30040) states that an attacker would have to convince a user to open a malicious file; successful exploitation bypasses COM/OLE protections in Microsoft 365 and Microsoft Office to achieve code execution in the context of the user.

“As Rapid7 has previously noted, MSHTML (also known as Trident) is still fully present in Windows – and unpatched assets are thus vulnerable to CVE-2024-30040 – regardless of whether or not a Windows asset has Internet Explorer 11 fully disabled.”

“Microsoft describes CVE-2024-30046 as requiring a highly complex attack to win a race condition through ‘[the investment of] time in repeated exploitation attempts through sending constant or intermittent data’.

“Since all data sent anywhere is transmitted either constantly or intermittently, and the rest of the advisory is short on detail, the potential impact of exploitation remains unclear. Only Visual Studio 2022 receives an update, so older supported versions of Visual Studio are presumably unaffected.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.