News
2 Zero-Day Flaw Highlights Small Microsoft May Patch
After April's larger-than-usual security update, Microsoft has pumped the brakes for May, issuing a slimmed-down 59 CVEs (Common Vulnerabilities and Exposures).
While IT might have a lighter load this month, they will still have their hands full as there are two zero-day flaws that should be addressed immediately.
The first is CVE-2024-30040, which addresses a security features bypass issue in the Windows MSHTML platform. According to Microsoft, if an attacker convinces a target to open a malicious file (typically through email), the attacker could "bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls."
While the flaw has yet to be publicly disclosed, Microsoft has observed attacks taking advantage of it, so patch as soon as possible.
That goes for the second zero-day vulnerability of the month: CVE-2024-30051. This one addresses an elevation of privilege flaw in Windows DWM Core Library which, if gone unpatched, could lead to an attacker gaining SYSTEM privileges. Unlike the previous issue, this one is publicly disclosed, so haste is key.
Providing some more detail into this flaw is Satnam Narang, senior staff research engineer at security firm Tenable:
CVE-2024-30051 is used as part of post-compromise activity to elevate privileges as a local attacker. Typically, zero-day exploitation of an elevation of privilege flaw is often associated with targeted attack campaigns. However, we know that post-patch, threat actors continue to find success using privilege escalation flaws. For instance, a recent joint cybersecurity advisory about the Black Basta ransomware group from CISA, FBI, HHS and MS-ISAC notes the use of multiple privilege escalation flaws by Black Basta affiliates as part of their ransomware activity.
After those two items have gone through the proper testing, IT should prioritize the only item rated "Critical" this month. CVE-2024-30044 looks to fix a remote code execution flaw in Microsoft SharePoint Server. While not much is known about this flaw, Microsoft did say that a potential attack (none have been seen in the wild) would involve "a specially crafted file to the targeted SharePoint Server and craft specialized API requests to trigger deserialization of file's parameters."
The full list of this month's bulletins can be found here.