Patch Tuesday has revealed 61 vulnerabilities
Microsoft is addressing 61 vulnerabilities this May 2024 Patch Tuesday and has evidence of in-the-wild exploitation and/or public disclosure for three of the vulnerabilities published today.
At the time of writing, two of the vulnerabilities patched today are listed on CISA KEV, and Microsoft is also patching a single critical remote code execution (RCE) vulnerability. Six browser vulnerabilities were published separately this month and are not included in the total.
The first of today's zero-day vulnerabilities is CVE-2024-30051, an elevation of privilege (EoP) vulnerability in the Windows Desktop Windows Manager (DWM) Core Library, which is listed on the CISA KEV list. Successful exploitation grants SYSTEM privileges. First introduced as part of Windows Vista, DWM is responsible for drawing everything on the display of a Windows system. Courtesy of Microsoft's recent enhancement of its security advisories to include Common Weakness Enumeration (CWE) data, the mechanism of exploitation is listed as CVE-122: Heap-based Buffer Overflow, which is just the sort of defect which recent US federal government calls for memory-safe software development are designed to address.
The Windows MSHTML platform receives a patch for CVE-2024-30040, a security feature bypass vulnerability for which Microsoft has evidence of exploitation in the wild and which CISA has also listed on KEV. The advisory states that an attacker would have to convince a user to open a malicious file; successful exploitation bypasses COM/OLE protections in Microsoft 365 and Microsoft Office to achieve code execution in the context of the user. As Rapid7 has previously noted, MSHTML (also known as Trident) is still fully present in Windows — and unpatched assets are thus vulnerable to CVE-2024-30040 — regardless of whether or not a Windows asset has Internet Explorer 11 fully disabled.
Rounding out today's trio of zero-day vulnerabilities: a denial of service (DoS) vulnerability in Visual Studio. Microsoft describes CVE-2024-30046 as requiring a highly complex attack to win a race condition through "[the investment of] time in repeated exploitation attempts through sending constant or intermittent data". Since all data sent anywhere is transmitted either constantly or intermittently, and the rest of the advisory is short on detail, the potential impact of exploitation remains unclear. Only Visual Studio 2022 receives an update, so older supported versions of Visual Studio are presumably unaffected.
SharePoint admins are no strangers to patches for critical RCE vulnerabilities. CVE-2024-30044 allows an authenticated attacker with Site Owner permissions or higher to achieve code execution in the context of SharePoint Server via upload of a specially crafted file followed by specific API calls to trigger deserialisation of the file's parameters. Microsoft considers exploitation more likely, and the low attack complexity and network attack contribute to a relatively high CVSS 3.1 base score of 8.8, although the advisory also lists the privileges required vector component as low, which is debatable given the Site Owner authentication requirement for exploitation. Microsoft has previously published an accessible introduction to deserialisation vulnerabilities and the risks of assuming data to be trustworthy, aimed at .NET developers.
Microsoft Excel receives a patch for CVE-2024-30042. Successful exploitation requires that an attacker convince the user to open a malicious file, which leads to code execution, presumably in the context of the user.
Also of interest today: Microsoft is releasing updated patches for three Windows Remote Access Connection Manager information disclosure vulnerabilities originally published in April 2024: CVE-2024-26207, CVE-2024-26217, and CVE-2024-28902. Microsoft states that an unspecified regression introduced by the April patches is resolved by installation of the May patches.
Back in 2021, Microsoft started publishing the Assigning CNA (CVE Numbering Authority) field on advisories. A welcome trend of publishing advisories for third-party software included in Microsoft products continues this month, with two vulnerabilities in MinGit patched as part of the May 2024 Windows security updates. MinGit is published by GitHub and consumed by Visual Studio. CVE-2024-32002 describes an RCE vulnerability on case-insensitive filesystems that support symlinks — macOS APFS comes to mind — and CVE-2024-32004 describes RCE while cloning specially-crafted local repositories.
Finally, there are no significant changes to the lifecycle phase of Microsoft products this month.