Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws

Today is Microsoft’s May 2024 Patch Tuesday, which includes security updates for 61 flaws and three actively exploited or publicly disclosed zero days.

This Patch Tuesday only fixes one critical vulnerability, a Microsoft SharePoint Server Remote Code Execution Vulnerability.

The number of bugs in each vulnerability category is listed below:

• 17 Elevation of Privilege Vulnerabilities
• 2 Security Feature Bypass Vulnerabilities
• 27 Remote Code Execution Vulnerabilities
• 7 Information Disclosure Vulnerabilities
• 3 Denial of Service Vulnerabilities
• 4 Spoofing Vulnerabilities

The total count of 61 flaws does not include 2 Microsoft Edge flaws fixed on May 2nd and four fixed on May 10th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5037771 cumulative update and the Windows 10 KB5037768 update.

Three zero-days fixed

This month’s Patch Tuesday fixes two actively exploited and one publicly disclosed zero-day vulnerabilities.

Microsoft classifies a zero-day as a flaw publicly disclosed or actively exploited with no official fix available.

The two actively exploited zero-day vulnerabilities in today’s updates are:

CVE-2024-30040 – Windows MSHTML Platform Security Feature Bypass Vulnerability

Microsoft has fixed an actively exploited bypass to OLE mitigations, which were added to Microsoft 365 and Microsoft Office to protect users from vulnerable COM/OLE controls.

“An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” explains Microsoft.

“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user,” continued Microsoft.

It is not known how the flaw was abused in attacks or who discovered it.

CVE-2024-30051 – Windows DWM Core Library Elevation of Privilege Vulnerability

Microsoft has fixed an actively exploited Windows DWM Core Library flaw that provides SYSTEM privileges.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” explains Microsoft.

Kaspersky states that recent Qakbot malware phishing attacks used malicious documents to exploit the flaw and gain SYSTEM privileges on Windows devices.

Microsoft said the flaw was disclosed by the following researchers: Mert Degirmenci and Boris Larin with Kaspersky, Quan Jin with DBAPPSecurity WeBin Lab Guoxian Zhong with DBAPPSecurity WeBin Lab, and Vlad Stolyarov and Benoit Sevens of Google Threat Analysis Group Bryce Abdo and Adam Brunner of Google Mandiant.

Microsoft states that the CVE-2024-30051 was also publicly disclosed, but it’s unclear where that was done. In addition, Microsoft says a denial of service flaw in Microsoft Visual Studio tracked as CVE-2024-30046 was publicly disclosed as well.

Recent updates from other companies

Other vendors who released updates or advisories in May 2024 include:

Unfortunately, we will no longer be linking to SAP’s Patch Tuesday security updates as they have placed them behind a customer login.

The May 2024 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the May 2024 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.