Microsoft on Tuesday released its May 2024 Patch Tuesday, which includes fixes for 61 vulnerabilities.
This Patch Tuesday fixes two zero-day vulnerabilities affecting Windows MSHTML (CVE-2024-30040) and Desktop Window Manager (DWM) Core Library (CVE-2024-30051).
It also patches one critical Remote Code Execution (RCE) vulnerability affecting the Microsoft SharePoint Server (CVE-2024-30044).
The two actively exploited zero-day vulnerabilities that Microsoft addresses in the May 2024 Patch Tuesday update are:
CVE-2024-30040 – Windows MSHTML Platform Security Feature Bypass Vulnerability
According to the Microsoft advisory, this security feature vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office that protect users from vulnerable COM/OLE controls.
“An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” Microsoft explains in the advisory.
“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user,” Microsoft added.
CVE-2024-30051 – Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-30051 is a heap-based buffer overflow (CWE-122) vulnerability in the Windows Desktop Windows Manager (DWM) Core Library.
An attacker can successfully exploit this vulnerability to gain SYSTEM privileges on a target system.
It is not known, and neither has the Redmond giant shared any information about the attacks exploiting the above vulnerabilities or who discovered them.
You can check out the comprehensive list of vulnerabilities addressed by Microsoft in the May 2024 Patch Tuesday security updates here.
The list offers explanations of each vulnerability and the systems it affects.