Summary: This content discusses the latest Microsoft Patch Tuesday, which includes over 60 CVEs to address, including three zero-day vulnerabilities, two of which have been actively exploited in the wild.
Threat Actor: QuakBot | QuakBot
Victim: System administrators | system administrators
Key Point :
- The latest Microsoft Patch Tuesday includes over 60 CVEs to address, with three zero-day vulnerabilities.
- Two of the zero-day vulnerabilities have been actively exploited in the wild, with one being used to deliver QuakBot and other malware.
- The most prominent zero-day vulnerability (CVE-2024-30051) is an elevation of privilege vulnerability stemming from a heap-based buffer overflow in the Windows Desktop Window Manager (DWM) Core Library.
- This vulnerability poses a significant risk to environments with numerous and diverse local users, such as corporate networks and academic institutions.
- An exploit of this vulnerability can allow a low-privileged local user to gain system-level access, potentially leading to unauthorized software installation, data alteration or deletion, and destructive modification of system settings.
- Malware utilizing a multi-stage payload may leverage this exploit to increase its privileges and further compromise the system.
System administrators have over 60 CVEs to address in the latest Microsoft Patch Tuesday, including three zero-day vulnerabilities.
Of these three zero-day bugs, two have been actively exploited in the wild, the most prominent of which (CVE-2024-30051) has been used to deliver QuakBot and other malware.
It is an elevation of privilege vulnerability which stems from a heap-based buffer overflow in the Windows Desktop Window Manager (DWM) Core Library.
Action1 president, Mike Walters, warned that it could pose a significant risk to environments with “numerous and diverse local users,” like corporate networks and academic institutions.
“This vulnerability can be exploited by a low-privileged local user on a shared system to gain system-level access, which could allow them to install software, alter or delete data, and modify system settings destructively. Alternatively, malware utilizing a multi-stage payload might leverage this exploit to increase its privileges and further compromise the system,” he explained.
“Furthermore, an attacker might use a less severe vulnerability as an entry point to gain initial low-level access to a machine and then exploit CVE-2024-30051 to escalate their privileges from a low-privileged account to system, thereby gaining extensive control over the machine.”
These privileges could be used to disable security features, steal sensitive data or conduct lateral movement across a victim network, Walters added.
Read more on Patch Tuesday: Microsoft Fixes Two Zero-Days in February Patch Tuesday
The second actively exploited zero-day is CVE-2024-30040, a Windows MSHTML platform security feature bypass flaw.
“Windows MSHTML is a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer 11 desktop application has reached the end of support, MSHTML vulnerabilities are still relevant today and are being patched by Microsoft,” explained Qualys technical content developer Diksha Ojha.
“The vulnerability can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls. An unauthenticated attacker may exploit this vulnerability to execute code by convincing a user to open a malicious document.”
Finally, Microsoft also patched a denial-of-service flaw in Microsoft Visual Studio (CVE-2024-30046) which it claimed was publicly disclosed but not currently exploited.
The only critical CVE of the 61 fixed this month was CVE-2024-30044, a remote code execution (RCE) bug in Microsoft SharePoint Server.
Image credit: Framalicious / Shutterstock.com
Source: https://www.infosecurity-magazine.com/news/microsoft-three-zerodays-may24
“An interesting youtube video that may be related to the article above”