Microsoft's May 2024 Patch Tuesday security updates fix 2 actively exploited zero-day vulnerabilities.

In May 2024, as part of the Patch Tuesday security updates, Microsoft fixed 59 vulnerabilities affecting various products, including an actively exploited zero-day. The latest security update addressed issues in several components, including Windows and its components, Office and its modules, .NET Framework and Visual Studio, Microsoft Dynamics 365, Power BI, DHCP Server, as well as in the Chromium-based Microsoft Edge browser and Windows Mobile Broadband. Among all the fixed issues, only one was classified as critical, 57 were categorized as "important," and one as "moderate."

Two vulnerabilities highlighted by Microsoft this month are actively being exploited by attackers, and one of them is a well-known zero-day vulnerability. The first of these vulnerabilities is:

• CVE-2024-30040– vulnerability bypassing the security protections of the MSHTML platform in Windows. This vulnerability allows an attacker to circumvent OLE precautions in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls. A hacker can initiate this issue by enticing a user to download a malicious file onto a vulnerable system, often using deceptive methods such as email or messaging apps.

After that, the attacker convinces the user to manipulate the file, which does not always require the user to directly click or open the document. As stated in the notice, "an unauthenticated attacker who successfully exploits this vulnerability may gain code execution by convincing the user to open a malicious document, which subsequently allows the attacker to execute arbitrary code on behalf of the user."

The second vulnerability is –CVE-2024-30051- this is a privilege escalation vulnerability in the DWM Core library of Windows. An attacker can exploit this vulnerability to gain SYSTEM privileges. However, Microsoft does not disclose details regarding attacks that utilize the aforementioned vulnerabilities. A complete list of the fixed issues, which was provided by Microsoft as part of the Patch Tuesday security updates in May 2024, is available at the link. You can stay updated by following me on Twitter: @securityaffairs and on Facebook, as well as on Mastodon Pierluigi Paganini (SecurityAffairs - hacking, zero-day).