Microsoft is fixing 61 flaws, including two actively used Zero-Days

Microsoft

May 15, 2024NewsroomPatch Tuesday / Vulnerability

Microsoft

Microsoft addressed a total of 61 new security flaws in its software as part of the May 2024 Patch Tuesday updates, including two zero-days that have been actively exploited in the wild.

Of the 61 shortcomings, one is rated as critical, 59 as important and one as moderate. This is in addition to 30 vulnerabilities fixed in the Chromium-based Edge browser in the past month, including two recently disclosed zero-days (CVE-2024-4671 and CVE-2024-4761) that have been tagged as exploited in attacks.

The two safety flaws that have been weaponized in the wild are listed below:

  • CVE-2024-30040 (CVSS Score: 8.8) – Windows MSHTML Platform security feature works around the vulnerability
  • CVE-2024-30051 (CVSS Score: 7.8) – Elevation of Privilege Vulnerability in Windows Desktop Window Manager (DWM) core library

“An unauthenticated attacker who successfully exploited this vulnerability could obtain code execution by convincing a user to open a malicious document, allowing the attacker to execute arbitrary code in the user’s context,” the tech giant said in an advisory for CVE-2024. -30040.

Successful exploitation, however, requires an attacker to convince the user to load a specially crafted file onto a vulnerable system, distributed via email or instant message, and trick the user into tampering with it. Interestingly, the victim does not have to click on or open the malicious file to activate the infection.

On the other hand, CVE-2024-30051 could allow a threat actor to gain SYSTEM privileges. Three groups of researchers from Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group and Mandiant have been credited with discovering and reporting the flaw, indicating likely widespread exploitation.

Cybersecurity

“We have seen it used together with QakBot and other malware and believe multiple threat actors have access to it,” said Kaspersky researchers Boris Larin and Mert Degirmenci.

Both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), requiring federal agencies to adopt the latest fixes by June 4, 2024.

Also fixed by Microsoft are several remote code execution bugs, including nine affecting the Windows Mobile Broadband Driver and seven affecting Windows Routing and Remote Access Service (RRAS).

Other notable flaws include privilege escalation flaws in the Common Log File System (CLFS) driver – CVE-2024-29996, CVE-2024-30025 (CVSS scores: 7.8), and CVE-2024-30037 (CVSS score: 7.5) – Win32k (CVE-2024-30028 and CVE-2024-30030, CVSS scores: 7.8), Windows Search Service (CVE-2024-30033, CVSS score: 7.0 ) and Windows Kernel (CVE-2024-30018, CVSS score: 7.8) .

In March 2024, Kaspersky revealed that threat actors are actively trying to exploit the now-patched privilege escalation flaws in various Windows components, due to the fact that “it is a very easy way to quickly get an NT AUTHORITY\SYSTEM.”

Akamai further outlined a new privilege escalation technique that affects Active Directory (AD) environments and uses the DHCP administrator group.

“In cases where the DHCP server role is installed on a domain controller (DC), this may allow them to gain domain administrator rights,” the company said. “In addition to providing a primitive escalation of privilege, the same technique could also be used to create a stealthy domain persistence mechanism.”

Cybersecurity

Rounding out the list is a security feature that bypasses the vulnerability (CVE-2024-30050, CVSS score: 5.4) that affects Windows Mark-of-the-Web (MotW) and can be exploited through a malicious file to bypass defenses.

Microsoft, which was recently excoriated for a series of security lapses that led to a breach of its infrastructure by national actors from China and Russia, has outlined a series of steps to put security above all other product features as part of its Secure Future Initiative (SFI).

“Additionally, we will provide accountability by basing a portion of the company’s Senior Leadership Team compensation on our progress toward achieving our security plans and milestones,” said Charlie Bell, executive vice president of Microsoft Security.

Software patches from other suppliers

In addition to Microsoft, security updates have also been released by other vendors in recent weeks to address various vulnerabilities, including:

Did you find this article interesting? follow us on Tweet and LinkedIn to read more exclusive content we post.

Leave a Reply

Your email address will not be published. Required fields are marked *