May 14, 2024

Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.

First, the zero-days. CVE-2024-30051 is an “elevation of privilege” bug in a core Windows library. Satnam Narang at Tenable said this flaw is being used as part of post-compromise activity to elevate privileges as a local attacker.

“CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file,” Narang said. “Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.”

Kaspersky Lab, one of two companies credited with reporting exploitation of CVE-2024-30051 to Microsoft, has published a fascinating writeup on how they discovered the exploit in a file shared with Virustotal.com.

Kaspersky said it has since seen the exploit used together with QakBot and other malware. Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations.

CVE-2024-30040 is a security feature bypass in MSHTML, a component that is deeply tied to the default Web browser on Windows systems. Microsoft’s advisory on this flaw is fairly sparse, but Kevin Breen from Immersive Labs said this vulnerability also affects Office 365 and Microsoft Office applications.

“Very little information is provided and the short description is painfully obtuse,” Breen said of Microsoft’s advisory on CVE-2024-30040.

The only vulnerability fixed this month that earned Microsoft’s most-dire “critical” rating is CVE-2024-30044, a flaw in Sharepoint that Microsoft said is likely to be exploited. Tenable’s Narang notes that exploitation of this bug requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.

Five days ago, Google released a security update for Chrome that fixes a zero-day in the popular browser. Chrome usually auto-downloads any available updates, but it still may require a complete restart of the browser to install them. If you use Chrome and see a “Relaunch to update” message in the upper right corner of the browser, it’s time to restart.

Apple has just shipped macOS Sonoma 14.5 update, which includes nearly two dozen security patches. To ensure your Mac is up-to-date, go to System Settings, General tab, then Software Update and follow any prompts.

Finally, Adobe has critical security patches available for a range of products, including Acrobat, Reader, Illustrator, Adobe Substance 3D Painter, Adobe Aero, Adobe Animate and Adobe Framemaker.

Regardless of whether you use a Mac or Windows system (or something else), it’s always a good idea to backup your data and or system before applying any security updates. For a closer look at the individual fixes released by Microsoft today, check out the complete list over at the SANS Internet Storm Center. Anyone in charge of maintaining Windows systems in an enterprise environment should keep an eye on askwoody.com, which usually has the scoop on any wonky Windows patches.

Update, May 15, 8:28 a.m.: Corrected misattribution of CVE-2024-30051.


9 thoughts on “Patch Tuesday, May 2024 Edition

  1. NumbLips

    Lest we forget, or procrastinate…the biggie, Mac OS update, leads to tvOS, iPad OS, iOS, watch updates. Pretty bulky package. I noticed the iOS update resulted in frustrating pairing with hearing aids-solution shut down phone then try it. Almost as much pain as installing two dental crowns today.

    Reply
  2. Eddy Duncan

    Is Microsoft ever going to fix KB5034441? It still fails on my computer, as it has for months now

    Reply
    1. IJAC

      No Microsoft said they are not going to fix it. You will just have to hide it.

      Reply
    2. Catwhisperer

      The solution on a Dell Latitude E5530 was to enable the TPM for the operating system. That may work for some. Others have recommended resizing a certain partition, which is a non-starter for me, as is having an uninstallable update. I’ve suggested to several that if their machines are not ready to ditch, install Ubuntu 22.04, or whatever the latest LTS version is, and then subscribe to Microsoft Office if you need to and use it online. Microsoft wants y’all to switch to Windows 11, and if that means you have to get a new PC, too bad…

      Apple did something similar with their OS. They stopped supporting Intel processors in lieu of their M series. So I have a perfectly good older iMac that can’t run the latest Apple OS, but runs the latest Kali Linux just fine. Go figure…

      Reply
    3. mealy

      It’s actually an easy fix albeit with a bunch of steps. Basically you have to enlarge the recovery partition, give it a full GB to future-proof as you like. Then the patches install fine because they have enough space to work with. You can google the error and find instructions. It’s also something you can screw up your windows install doing wrong – so backup first.

      Reply
  3. todb

    The Kaspersky writeup is about CVE-2024-30051, not CVE-2024-30040 as implied by the article.

    Reply
    1. SeymourB

      Did you say updates can bankrupt ransomware companies?

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *