Microsoft Might 2024 Patch Tuesday fixes 3 zero-days, 61 flaws

Immediately is Microsoft’s Might 2024 Patch Tuesday, which incorporates security updates for 61 flaws and three actively exploited or publicly disclosed zero days.

This Patch Tuesday solely fixes one crucial vulnerability, a Microsoft SharePoint Server Distant Code Execution Vulnerability.

The variety of bugs in every vulnerability class is listed under:

• 17 Elevation of Privilege Vulnerabilities
• 2 Safety Characteristic Bypass Vulnerabilities
• 27 Distant Code Execution Vulnerabilities
• 7 Data Disclosure Vulnerabilities
• 3 Denial of Service Vulnerabilities
• 4 Spoofing Vulnerabilities

The entire depend of 61 flaws doesn’t embrace 2 Microsoft Edge flaws fastened on Might 2nd and 4 fastened on Might tenth.

To study extra in regards to the non-security updates launched in the present day, you may evaluate our devoted articles on the brand new Home windows 11 KB5037771 cumulative replace and the Home windows 10 KB5037768 replace.

Three zero-days fastened

This month’s Patch Tuesday fixes two actively exploited and one publicly disclosed zero-day vulnerabilities.

Microsoft classifies a zero-day as a flaw publicly disclosed or actively exploited with no official repair out there.

The 2 actively exploited zero-day vulnerabilities in in the present day’s updates are:

CVE-2024-30040 – Home windows MSHTML Platform Safety Characteristic Bypass Vulnerability

Microsoft has fastened an actively exploited bypass to OLE mitigations, which had been added to Microsoft 365 and Microsoft Workplace to guard customers from weak COM/OLE controls.

“An attacker must persuade the person to load a malicious file onto a weak system, usually by the use of an enticement in an E mail or On the spot Messenger message, after which persuade the person to control the specifically crafted file, however not essentially click on or open the malicious file,” explains Microsoft.

“An unauthenticated attacker who efficiently exploited this vulnerability may achieve code execution via convincing a person to open a malicious doc at which level the attacker may execute arbitrary code within the context of the person,” continued Microsoft.

It just isn’t recognized how the flaw was abused in assaults or who found it.

CVE-2024-30051 – Home windows DWM Core Library Elevation of Privilege Vulnerability

Microsoft has fastened an actively exploited Home windows DWM Core Library flaw that gives SYSTEM privileges.

“An attacker who efficiently exploited this vulnerability may achieve SYSTEM privileges,” explains Microsoft.

Kaspersky states that current Qakbot malware phishing assaults used malicious paperwork to take advantage of the flaw and achieve SYSTEM privileges on Home windows gadgets.

Microsoft mentioned the flaw was disclosed by the next researchers: Mert Degirmenci and Boris Larin with Kaspersky, Quan Jin with DBAPPSecurity WeBin Lab Guoxian Zhong with DBAPPSecurity WeBin Lab, and Vlad Stolyarov and Benoit Sevens of Google Menace Evaluation Group Bryce Abdo and Adam Brunner of Google Mandiant.

Microsoft states that the CVE-2024-30051 was additionally publicly disclosed, nevertheless it’s unclear the place that was achieved. As well as, Microsoft says a denial of service flaw in Microsoft Visible Studio tracked as CVE-2024-30046 was publicly disclosed as properly.

Current updates from different firms

Different distributors who launched updates or advisories in Might 2024 embrace:

Sadly, we are going to not be linking to SAP’s Patch Tuesday security updates as they’ve positioned them behind a buyer login.

The Might 2024 Patch Tuesday Safety Updates

Beneath is the entire listing of resolved vulnerabilities within the Might 2024 Patch Tuesday updates.

To entry the total description of every vulnerability and the programs it impacts, you may view the full report right here.