Microsoft releases 61 Patch Tuesday updates and warns of three zero-day bugs
Microsoft urges users to be wary of at least one vulnerability that is being actively exploited in the wild.
Microsoft released more than 60 patches this Patch Tuesday, including three zero-day vulnerabilities, one of which is being actively exploited.
CVE-2024-30051 is an elevation of privilege vulnerability in the Windows Desktop Windows Manager core library. This vulnerability grants full SYSTEM privileges upon successful exploitation.
CVE-2024-30046 is a denial of service flaw in Visual Studio, but it requires a very complex attack to gain a particular race condition.
Finally, CVE-2024-30040 is a security feature bypass vulnerability in Microsoft 365 and Office and has been observed to be actively exploited. Any unpatched asset is vulnerable to this bug, so it needs urgent attention.
Adam Barnett, Lead Software Engineer at Rapid7, was able to explain to us what makes the exploits work.
“The first of today’s zero-day vulnerabilities is CVE-2024-30051, an elevation of privilege (EoP) vulnerability in the Windows Desktop Windows Manager (DWM) core library, which is listed by CISA KEV,” it said. Barnett.
“Successful exploitation grants SYSTEM privileges. First introduced as part of Windows Vista, DWM is responsible for drawing everything on the screen of a Windows system. Courtesy of Microsoft’s recent enhancement of its security advisories to include common weaknesses enumeration (CWE) data, the exploit mechanism is listed as CVE-122: Heap-based buffer overflow, which is just the type of flaw that the recent US federal government demands. Memory-safe software development is designed to address.
“The Windows MSHTML platform advisory (CVE-2024-30040) states that an attacker would have to convince a user to open a malicious file; Successful exploitation bypasses COM/OLE protections in Microsoft 365 and Microsoft Office to achieve code execution in the context of the user.
“As Rapid7 previously noted, MSHTML (aka Trident) is still fully present on Windows, and unpatched assets are therefore vulnerable to CVE-2024-30040, regardless of whether a Windows asset has Internet Explorer 11. completely disabled or not.
“Microsoft describes that CVE-2024-30046 requires a very complex attack to gain a race condition via ‘[the investment of] time in repeated exploitation attempts by sending constant or intermittent data.
“Given that all data sent anywhere is transmitted constantly or intermittently, and the rest of the advisory is short on details, the potential impact of the exploit remains unclear. Only Visual Studio 2022 receives an update, so presumably older supported versions of Visual Studio are not affected.”