Microsoft addresses 59 CVEs including critical zero-day flaws
In its latest Patch Tuesday release, Microsoft has addressed a total of 59 CVEs (Common Vulnerabilities and Exposures), including one critical vulnerability and three zero-day vulnerabilities. An elevation of privilege flaw in the DWM Core Library beneath Microsoft Windows systems and a security feature bypass in the MSHTML Engine have been identified as the exploited zero-day vulnerabilities.
Satnam Narang, Senior Staff Research Engineer at Tenable, gave his insights on the Patch Tuesday release. He noted that while this month's figure appeared significantly lower compared to the preceding month, which recorded 147 CVEs - the highest in the history of the Patch Tuesday releases - the current situation still warrants attention, particularly concerning the increase of zero-day threats.
Speaking in detail about the exploit in CVE-2024-30051, Satnam clarified how it facilitates privilege elevation post-compromise for local attackers. He said, "Typically, zero-day exploitation of an elevation of privilege flaw is often associated with targeted attack campaigns. However, we know that post-patch, threat actors continue to find success using privilege escalation flaws."
He also highlighted that the CVE-2024-30051 flaw could potentially be deployed for initial access into a target environment given its need for social engineering tactics, such as email, to convince targets to open maliciously designed document files. Once exploited, the attackers are able to bypass OLE mitigations in Microsoft 365 and Microsoft Office, enabling them to exploit these security features that are designed to safeguard users from malignant files.
The CVE-2024-30051 exploit marks the second of its kind involving the DWM Core Library, within the last six months at least, that has been actively exploited in the wild. Commenting on the similarities between the two attacks, Satnam stated, "No details are public at this time for either flaw, but it is possible that in-the-wild exploitation may be linked to the same threat actor either through the discovery of another privilege escalation flaw in the same library. Alternatively, CVE-2024-30051 could be the result of a patch bypass– an incomplete fix for CVE-2023-36033."
On a separate note, the MSHTML security feature bypass exploit, CVE-2024-30040, was said to be the first of its kind in 2024, following a series of eight MSHTML vulnerabilities identified and patched in 2023. Of the eight patched vulnerabilities, only one - CVE-2023-32046 - was exploited in the wild as a zero-day and subsequently rectified in July 2023.
The SharePoint vulnerability, CVE-2024-30044, earned a special mention in Satnam's analysis, as it was the only one to be rated as 'Critical' this month. He further elaborated, saying, "Exploitation requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be exploited as most attackers follow the path of least resistance."