Microsoft Patch Tuesday security updates for May 2024 addressed 59 vulnerabilities in Windows and Windows Components; Office and Office Components; .NET Framework and Visual Studio; Microsoft Dynamics 365; Power BI; DHCP Server; Microsoft Edge (Chromium-based); and Windows Mobile Broadband.
Only one of the vulnerabilities addressed by the IT giant this month is rated Critical, 57 are rated Important, and one is rated Moderate in severity.
Two of the vulnerabilities fixed by Microsoft this month are actively exploited, and one was a publicly disclosed zero-day.
The two actively exploited zero-day vulnerabilities are:
CVE-2024-30040 – Windows MSHTML Platform Security Feature Bypass Vulnerability
This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls.
An attacker can trigger this issue by tricking a user into loading a malicious file onto a vulnerable system, often through deceptive means like email or instant messenger messages. The attacker then convinces the user to manipulate the file, without necessarily requiring them to click or open it directly.
“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user.” reads the advisory.
CVE-2024-30051 – Windows DWM Core Library Elevation of Privilege Vulnerability
An attacker can exploit this vulnerability to gain SYSTEM privileges.
Microsoft doesn’t share details about the attacks exploiting the above vulnerabilities.
The full list of flaws addressed by Microsoft with the release of Patch Tuesday security updates for May 2024 is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)