Microsoft has released patches for two zero-day vulnerabilities being exploited in the wild, along with fixes for another 57 CVEs on its monthly Patch Tuesday.
Satnam Narang, senior staff researcher engineer at security shop Tenable, said the number of CVEs patches was down sharply from the 147 patched in April which, incidentally, was the highest on any Patch Tuesday.
Said Narang: “This month, Microsoft patched two zero-day vulnerabilities that were exploited in the wild – CVE-2024-30051, an elevation of privilege flaw in the DWM Core Library in Microsoft Windows and CVE-2024-30040, a security feature bypass in the MSHTML (Trident) Engine in Microsoft Windows.
“CVE-2024-30051 is used as part of post-compromise activity to elevate privileges as a local attacker. Typically, zero-day exploitation of an elevation of privilege flaw is often associated with targeted attack campaigns.
{loadposition sam08}"However, we know that post-patch, threat actors continue to find success using privilege escalation flaws. For instance, a recent joint cyber security advisory about the Black Basta ransomware group from CISA, FBI, HHS and MS-ISAC noted the use of multiple privilege escalation flaws by Black Basta affiliates as part of their ransomware activity."
He said CVE-2024-30051 was used to gain initial access into a target environment and required the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file.
"Once exploited, the attacker can bypass object linking and embedding mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files," he added.
Narang said CVE-2024-30051 was the second DWM Core Library zero-day exploited in the wild in at least the last six months.
"Microsoft patched CVE-2023-36033 in November 2023. No details are public at this time for either flaw, but it is possible that in-the-wild exploitation may be linked to the same threat actor either through the discovery of another privilege escalation flaw in the same library.
"Alternatively,CVE-2024-30051 could be the result of a patch bypass – an incomplete fix for CVE-2023-36033.
He said CVE-2024-30040 was the first vulnerability in MSHTML disclosed in 2024.
"It was preceded by eight MSHTML vulnerabilities that were patched in 2023 from February 2023 through to December 2023. Of the previous eight flaws, CVE-2023-32046, an elevation of privilege vulnerability, was the only one exploited in the wild as a zero-day and patched in July 2023."
Narang said the SharePoint vulnerability (CVE-2024-30044) was worthy of note as it was the only vulnerability rated “critical” in this month’s release.
"While this vulnerability is also considered one of several vulnerabilities that are more likely to be exploited, exploitation requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance,” he explained.
Going by Adan Barnett's count, the number of flaws addressed by Microsoft was 61. The lead software engineer from security firm Rapid7, said Microsoft had also patched a single critical remote code execution vulnerability, while six browser vulnerabilities were published separately this month and were not included in the total.
"Microsoft Excel receives a patch for CVE-2024-30042. Successful exploitation requires that an attacker convince the user to open a malicious file, which leads to code execution, presumably in the context of the user," Barnett said.
"Also of interest: Microsoft is releasing updated patches for three Windows Remote Access Connection Manager information disclosure vulnerabilities originally published in April 2024: CVE-2024-26207, CVE-2024-26217, and CVE-2024-28902. Microsoft says an unspecified regression introduced by the April patches is resolved by installation of the May patches.
"Back in 2021, Microsoft started publishing the Assigning CNA (CVE Numbering Authority) field on advisories. A welcome trend of publishing advisories for third-party software included in Microsoft products continues this month with two vulnerabilities in MinGit patched as part of the May 2024 Windows security updates.
"MinGit is published by GitHub and consumed by Visual Studio. CVE-2024-32002 describes a RCE vulnerability on case-insensitive filesystems that support symlinks — macOS APFS comes to mind — and CVE-2024-32004 describes RCE while cloning specially-crafted local repositories."
Mike Walters, president and co-founder of Action1, a vendor of patch management software, elaborated on CVE-2024-30051, pointing out that this elevation of privilege vulnerability stemmed from a heap-based buffer overflow (CWE-122) within the library.
"It could allow an attacker to gain SYSTEM-level privileges on machines running vulnerable versions of Windows, starting with Windows 10 and above, including Windows Server 2016 and later," Walters explained.
With a CVSS:3.1 Score: 7.8 (High), Microsoft rated this vulnerability as high, with a significant impact on confidentiality, integrity, and availability, he noted.
Key vulnerability metrics for this vulnerability were:
- Attack Vector: Local – The vulnerability can only be exploited with local access to the system.
- Attack Complexity: Low – The attack does not require complex strategies and can be carried out with minimal prerequisites.
- Privileges Required: Low – Only low-level privileges are needed, making the vulnerability easier to exploit.
- User Interaction: None – No user interaction is necessary once access is obtained.
"Heap-based buffer overflow vulnerabilities are particularly severe due to the critical nature of heap management," Walters stressed. "If exploited, this vulnerability allows an attacker to inject and execute arbitrary code with the privileges of the target process, escalating to SYSTEM privileges. By altering heap structures, an attacker could redirect code execution toward malicious payloads.
"This vulnerability can be exploited by a low-privileged local user on a shared system to gain SYSTEM-level access, which could allow them to install software, alter or delete data, and modify system settings destructively. Alternatively, malware utilising a multi-stage payload might leverage this exploit to increase its privileges and further compromise the system.
"Further, an attacker might use a less severe vulnerability as an entry point to gain initial low-level access to a machine and then exploit CVE-2024-30051 to escalate their privileges from a low-privileged account to SYSTEM, thereby gaining extensive control over the machine. Such SYSTEM privileges could be used to disable security features, steal sensitive data, or conduct lateral movements across the network to compromise additional systems and spread malware.
"Given its critical nature and the low complexity of the exploit, CVE-2024-30051 poses a significant risk, particularly in environments with numerous and diverse local users, such as corporate networks and academic institutions.
"The existence of functional exploit code and confirmed exploitation reports suggests that attackers are well-acquainted with this vulnerability and are actively exploiting it in campaigns. In light of the high level of privilege attainable through this exploit, it is crucial for organizations to prioritize deploying Microsoft’s official patch to mitigate potential damage."