Microsoft Patches Multiple Zero-Day and Critical Bugs in Latest Security Update: Microsoft addresses multiple zero-day vulnerabilities and other critical security flaws in their latest Patch, emphasizing the urgency for system administrators to apply these patches to safeguard their environments.
Short Summary on Microsoft Patches Multiple Zero-Day and Critical Bugs in Latest Security Update:
- Microsoft released 61 security updates in the latest Patch Tuesday.
- Two actively exploited zero-day vulnerabilities were patched.
- A critical flaw in SharePoint Server addressed.
On the recent Patch Tuesday, Microsoft rolled out a substantial security update addressing over sixty vulnerabilities, including urgent fixes for two zero-day vulnerabilities currently exploited in the wild. This is a critical update for system administrators aiming to protect their environments against escalating cyber threats.
Among the highlights is the remediation of CVE-2024-30051, a vulnerability in the Windows Desktop Window Manager (DWM).
This elevation of privilege vulnerability, primarily affecting environments with numerous and diverse local users such as corporate networks and academic institutions, has been actively exploited. Mike Walters, President of Action1, highlighted its potential dangers:
“This vulnerability can be exploited by a low-privileged local user on a shared system to gain system-level access, allowing them to install software, alter or delete data, and modify system settings destructively,” Walters explained.
The CVE-2024-30051 flaw originates from a heap-based buffer overflow in the DWM Core Library. If successfully exploited, attackers can gain comprehensive control over a system, potentially disabling security features, stealing sensitive data, or conducting lateral movements within a network.
Another critical zero-day vulnerability fixed is CVE-2024-30040, a security feature bypass flaw in the Windows MSHTML platform.
This flaw leverages weaknesses in Object Linking and Embedding (OLE) technology used in Microsoft 365 and Office to embed content between applications. Diksha Ojha from Qualys explained the significance:
“The vulnerability can bypass OLE mitigations in Microsoft 365 and Microsoft Office, protecting users from vulnerable COM/OLE controls,” Ojha said. “An unauthenticated attacker may exploit this vulnerability to execute code by convincing a user to open a malicious document.”
Exploitation of CVE-2024-30040 requires user interaction, specifically convincing the target to manipulate a specially crafted file. Despite Internet Explorer 11 reaching the end of support, the MSHTML browser engine remains a critical component, ensuring patches for its vulnerabilities are essential.
Additionally, Microsoft addressed another zero-day, CVE-2024-30046, a denial-of-service flaw in Visual Studio. While this vulnerability has not seen active exploitation, the potential for abuse remains significant.
Successful exploitation demands an attacker to persistently bombard the system with data, a high-complexity attack method.
The only critical vulnerability addressed in this month’s update is CVE-2024-30044, a remote code execution (RCE) flaw in Microsoft SharePoint Server. Analysts note that exploiting this flaw requires significant preparation of the target environment. Despite these hurdles, its high impact warrants immediate patching.
Chris Goettl, vice president of product management for security products at Ivanti, stressed the broader implications of this vulnerability:
“The other part that’s interesting about this vulnerability is that while it bypasses the OLE mitigations in Microsoft 365 and Microsoft Office, the only fix listed is for the Windows OS. There is no Microsoft Office patch to download,” Goettl remarked.
Beyond these high-profile fixes, the update also resolved vulnerabilities across various other products. Microsoft republished eight vulnerabilities affecting third-party software from GitHub and Google Chrome, underlining the interconnected nature of today’s software ecosystem. Mozilla also addressed 16 new vulnerabilities in Firefox on the same Patch Tuesday.
Chris Goettl emphasized the critical nature of browser security in light of these updates:
“Update all your browsers. That should be IT’s number-one priority this month,” Goettl stated.
Notably, multiple vulnerabilities in Windows Mobile Broadband Driver and Windows Routing and Remote Access Service (RRAS) were patched, alongside privilege escalation flaws in the Common Log File System (CLFS) driver and Windows Kernel, showcasing the breadth of Microsoft’s security response.
The discovery of the CVE-2024-30051 vulnerability was credited to multiple groups, including Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group, and Mandiant. This underscores the collaborative nature of contemporary cybersecurity efforts. Kaspersky researchers provided insight into the real-world use of this exploit:
“We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it,” noted Kaspersky researchers Boris Larin and Mert Degirmenci.
The successful exploitation of CVE-2024-30051 permits attackers to gain SYSTEM privileges, posing severe risks. This vulnerability, along with CVE-2024-30040, has been added to the Known Exploited Vulnerabilities (KEV) catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which mandates federal agencies to apply the patches by June 4, 2024.
This update cycle reaffirms the importance of maintaining rigorous patch management practices to mitigate risk. As trends show, vulnerabilities in widely used platforms remain prime targets, necessitating immediate and comprehensive security responses.
Microsoft’s Patch Tuesday continues to play a pivotal role in the cybersecurity landscape, emphasizing the proactive steps required to maintain secure environments. Organizations are urged to apply these patches promptly to safeguard against potential exploits that can lead to significant operational disruptions.
For a detailed breakdown of the vulnerabilities addressed and insights into this month’s patches, visit Microsoft’s official advisory pages.
