.jpg)
Today marks Microsoft's May 2024 Patch Tuesday, which addresses 61 security vulnerabilities, including three zero-day exploits that were actively exploited or publicly disclosed.
Key Vulnerability Updates
This month, Microsoft released updates that cover a wide range of vulnerabilities across its products. Notably, only one critical vulnerability was addressed:
Microsoft SharePoint Server Remote Code Execution Vulnerability
Here's a breakdown of the vulnerability categories:
17 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
27 Remote Code Execution Vulnerabilities
7 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
4 Spoofing Vulnerabilities
It's important to note that the total count of 61 does not include two Microsoft Edge flaws fixed on May 2nd and four fixed on May 10th.
For detailed information on non-security updates, refer to our articles on the new Windows 11 KB5037771 cumulative update and the Windows 10 KB5037768 update.
Zero-Days Addressed
This Patch Tuesday resolves three zero-day vulnerabilities—two actively exploited and one publicly disclosed:
CVE-2024-30040 - Windows MSHTML Platform Security Feature Bypass Vulnerability
This flaw involves a bypass of OLE mitigations in Microsoft 365 and Office, which protect against vulnerable COM/OLE controls. An attacker can exploit this by persuading a user to load a malicious file, leading to arbitrary code execution.
Microsoft detailed that an unauthenticated attacker could gain code execution if a user opens a malicious document, although the exact method of abuse and the discoverer are unknown.
CVE-2024-30051 - Windows DWM Core Library Elevation of Privilege Vulnerability
This vulnerability allows attackers to gain SYSTEM privileges. Kaspersky reported its exploitation in Qakbot malware phishing attacks.
The flaw was disclosed by multiple researchers from Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group, and Google Mandiant, although the details of its public disclosure remain unclear.
CVE-2024-30046 - Microsoft Visual Studio Denial of Service Vulnerability
This denial-of-service flaw in Visual Studio was publicly disclosed, but specific details were not provided by Microsoft.
Updates from Other Companies
Several other vendors have also released security updates or advisories in May 2024:
Adobe: Updates for After Effects, Photoshop, Commerce, InDesign, and more.
Apple: Backported an RTKit zero-day to older devices and fixed a Safari WebKit zero-day flaw exploited at Pwn2Own.
Cisco: Updates for IP phone products.
Citrix: Advised Xencenter admins to manually fix a Putty flaw that could steal an admin's private SSH key.
F5: Security updates for two high-severity BIG-IP Next Central Manager API flaws.
Google: Emergency update to fix the sixth zero-day of 2024.
TinyProxy: Fixed a critical remote code execution flaw disclosed by Cisco.
VMware: Addressed three zero-day bugs exploited at Pwn2Own 2024.
Please note that we will no longer link to SAP's Patch Tuesday security updates as they are now behind a customer login.
Detailed Vulnerability Information
For a comprehensive list of resolved vulnerabilities in the May 2024 Patch Tuesday updates and to access full descriptions of each vulnerability and affected systems, you can view the full report here.
