“Microsoft patched 59 CVEs in its May 2024 Patch Tuesday release, down from 147 CVEs last month, which was the highest in Patch Tuesday history.
“This month, Microsoft patched two zero-day vulnerabilities that were exploited in the wild – CVE-2024-30051, an elevation of privilege flaw in the DWM Core Library in Microsoft Windows and CVE-2024-30040, a security feature bypass in the MSHTML (Trident) Engine in Microsoft Windows.
“CVE-2024-30051 is used as part of post-compromise activity to elevate privileges as a local attacker. Typically, zero-day exploitation of an elevation of privilege flaw is often associated with targeted attack campaigns. However, we know that post-patch, threat actors continue to find success using privilege escalation flaws. For instance, a recent joint cybersecurity advisory about the Black Basta ransomware group from CISA, FBI, HHS and MS-ISAC notes the use of multiple privilege escalation flaws by Black Basta affiliates as part of their ransomware activity. CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file. Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.
“CVE-2024-30051 is the second DWM Core Library zero day that was exploited in the wild in at least the last six months. Microsoft patched CVE-2023-36033 in November 2023. No details are public at this time for either flaw, but it is possible that in-the-wild exploitation may be linked to the same threat actor either through the discovery of another privilege escalation flaw in the same library. Alternatively,CVE-2024-30051 could be the result of a patch bypass–an incomplete fix for CVE-2023-36033.
“CVE-2024-30040 is the first vulnerability in MSHTML disclosed in 2024. It was preceded by eight MSHTML vulnerabilities that were patched in 2023 from February 2023 through December 2023. Of the previous eight flaws, CVE-2023-32046, an elevation of privilege vulnerability, was the only one exploited in the wild as a zero-day and patched in July 2023.
“The SharePoint vulnerability (CVE-2024-30044) is notable as it is the only vulnerability rated as “Critical” in this month’s release. While this vulnerability is also considered one of several vulnerabilities that are more likely to be exploited, exploitation requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.” – Satnam Narang, Sr. Staff Research Engineer, Tenable
