Microsoft’s Patch Tuesday updates for May 2024 address 61 new security vulnerabilities. Among these, two zero-day vulnerabilities are actively exploited in the wild. The vulnerabilities are categorized as follows: one Critical, 59 Important, and one Moderate. This update is essential for enhancing security across Microsoft software.

Additionally, 30 vulnerabilities in the Chromium-based Edge browser were resolved, including two zero-days. The active exploitation of these zero-days highlights the urgency of applying these patches. The critical flaw and numerous important vulnerabilities indicate significant potential risks that need mitigation.

Administrators and users should prioritize these updates to protect their systems from potential exploits. The two actively exploited zero-days in Microsoft software necessitate immediate attention to prevent malicious attacks. Updating the Chromium-based Edge browser is equally crucial due to the resolved zero-days.

Overall, these updates are part of Microsoft’s ongoing effort to maintain robust security measures across its software ecosystem. Users are strongly advised to apply these updates promptly to ensure the highest level of protection against emerging threats. Keeping systems up-to-date with the latest patches is a fundamental step in safeguarding against vulnerabilities and maintaining security integrity.

Actively Exploited Zero-Days

CVE-2024-30040: Windows MSHTML Platform Security Feature Bypass

• CVSS Score:8
• Description: An attacker could gain code execution by convincing a user to open a malicious document. Exploitation does not require user interaction with the malicious file beyond loading it.
• Exploit Vector: Email or instant message with a specially crafted file.
• Impact: Arbitrary code execution in the context of the user.

CVE-2024-30051: Windows Desktop Window Manager (DWM) Core Library Elevation of Privilege

• CVSS Score: 8
• Description: This vulnerability allows an attacker to gain SYSTEM privileges. It has been used in conjunction with QakBot and other malware.
• Researchers: Discovered by teams from Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group, and Mandiant.
• Impact: SYSTEM level access.

Both vulnerabilities have been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply the fixes by June 4, 2024.

Other Notable Vulnerabilities

• Remote Code Execution Vulnerabilities
• Windows Mobile Broadband Driver: 9 vulnerabilities.
• Windows Routing and Remote Access Service (RRAS): 7 vulnerabilities.
• Privilege Escalation Flaws
• Common Log File System (CLFS) Driver:
• CVE-2024-29996 (CVSS score: 7.8)
• CVE-2024-30025 (CVSS score: 7.8)
• CVE-2024-30037 (CVSS score: 7.5)
• Win32k:
• CVE-2024-30028 (CVSS score: 7.8)
• CVE-2024-30030 (CVSS score: 7.8)
• Windows Search Service:
• CVE-2024-30033 (CVSS score: 7.0)
• Windows Kernel:
• CVE-2024-30018 (CVSS score: 7.8)

Security Feature Bypass

CVE-2024-30050: CVE-2024-30050 affects Windows’ Mark-of-the-Web (MotW) security feature. This vulnerability can be exploited using a malicious file to bypass security defenses. MotW is designed to flag files downloaded from the internet, but this flaw allows attackers to evade these protections. By crafting a specific file, an attacker can trick the system into treating it as safe, potentially leading to malicious code execution. Users might unknowingly execute harmful files, thinking they are secure. Microsoft has addressed this issue in their latest updates, urging users to apply the patches to mitigate the risk.

Exploitation Techniques and Research

Recent reports have highlighted active exploitation attempts targeting privilege escalation vulnerabilities in Windows components. Kaspersky noted that threat actors are leveraging these now-patched vulnerabilities to gain elevated privileges. These attacks underscore the importance of applying updates promptly to mitigate such risks.

Additionally, Akamai has uncovered a new privilege escalation technique in Active Directory (AD) environments. This technique involves the DHCP administrators group, which attackers can exploit to escalate privileges. When the DHCP server role is installed on a Domain Controller (DC), it creates a potential pathway for attackers to gain domain admin privileges.

By exploiting this vulnerability, attackers can establish a stealthy persistence mechanism within the domain, making their presence hard to detect. The technique not only provides a method for privilege escalation but also enables long-term access and control over the AD environment.

The findings from both Kaspersky and Akamai highlight the critical need for organizations to monitor and secure their AD environments and apply the latest patches to safeguard against these sophisticated exploitation techniques. Ensuring robust security practices and timely updates is essential to defend against potential threats and maintain the integrity of organizational networks.

Software Patches from Other Vendors

In addition to Microsoft’s updates, several other vendors have released security updates, including:

• Adobe
• Android
• Apple
• Arm
• ASUS
• Atos
• Broadcom (including VMware)
• Cacti
• Cisco
• Citrix
• CODESYS
• Dell
• Drupal
• F5
• Fortinet
• GitLab
• Google Chrome
• Google Cloud
• Google Wear OS
• Hikvision
• Hitachi Energy
• HP
• HP Enterprise
• HP Enterprise Aruba Networks
• IBM
• Intel
• Jenkins
• Juniper Networks
• Lenovo
• Linux distributions (Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu)
• MediaTek
• Mitsubishi Electric
• MongoDB
• Mozilla Thunderbird
• NVIDIA
• ownCloud
• Palo Alto Networks
• Progress Software
• QNAP
• Qualcomm
• Rockwell Automation
• Samsung
• SAP
• Schneider Electric
• Siemens
• SolarWinds
• SonicWall
• Tinyproxy
• Veeam
• Veritas
• Zimbra
• Zoom
• Zyxel

Remediation Steps for May 2024 Microsoft Patch Tuesday Updates

1. Apply Updates Immediately: Prioritize the installation of the May 2024 Patch Tuesday updates across all Microsoft software. Ensure both operating systems and applications are up-to-date to mitigate the vulnerabilities, especially the two actively exploited zero-days.
2. Update Chromium-based Edge Browser: Install the latest version of the Chromium-based Edge browser to address the 30 resolved vulnerabilities, including the two critical zero-days.
3. Audit Systems for Signs of Exploitation: Conduct thorough system audits to detect any signs of exploitation related to the vulnerabilities CVE-2024-30040 and CVE-2024-30051. Look for indicators of compromise and take necessary action if suspicious activity is found.
4. Enhance User Awareness: Educate users about the risks associated with opening suspicious emails or instant messages that may contain malicious files. Reinforce best practices for handling unexpected or unknown attachments.
5. Monitor Security Alerts and Advisories: Keep an eye on security alerts and advisories from Microsoft and cybersecurity agencies like CISA. Ensure that any new updates or patches released in response to these vulnerabilities are applied promptly.
6. Strengthen Network Defenses: Implement additional network security measures such as firewalls, intrusion detection/prevention systems, and endpoint protection solutions to provide layered defense against potential exploits.
7. Review and Update Security Policies: Review and update your organization’s security policies to include procedures for timely patch management and vulnerability mitigation. Ensure that these policies are strictly enforced and regularly audited.