This month’s Patch Tuesday updates contain fixes for two actively exploited vulnerabilities, another that is publicly disclosed, and a fourth marked Critical. In total, the updates fix 60 Microsoft CVEs.

Let’s start with the zero-days. The CVEs for these two vulnerabilities are:

CVE-2024-30040 is a Windows MSHTML Platform security feature bypass with a CVSS score of 8.8 out of 10. The vulnerability can be used to bypass OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls.

An attacker would have to convince a user to load a malicious file onto a vulnerable system. If the attacker succeeded, the malicious document could then execute arbitrary code in the context of the user. Microsoft marked this one as Exploitation Detected, which means it has been used in the wild.

CVE-2024-30051 is a Windows DWM Core Library Elevation of Privilege (EoP) vulnerability with a CVSS score of 7.8 out of 10. This is a heap-based buffer overflow vulnerability an attacker can use to gain SYSTEM privileges.

This vulnerability is reportedly actively being exploited by multiple cybercriminals and is very similar to CVE-2023-36033, which we wrote about in November 2023.

Both of the actively exploited vulnerabilities have been added to the Cybersecurity and Infrastructure Security Agency (CISA) catalog of actively exploited vulnerabilities, which means that Federal Civilian Executive Branch (FCEB) agencies need to remediate them by June 4, 2024, in order to protect their devices against active threats.

There are two other noteworthy vulnerabilities in this month’s updates.

CVE-2024-30046 is a Denial of Service (DoS) vulnerability in Visual Studio with a CVSS score of 5.9 out of 10. It relies on a race condition, which is a flaw that happens when a system depends on two or more uncontrollable events happening in a specific order. This creates inconsistent behavior because the events may or may not happen in the order the programmer intended. To exploit this bug, an attacker would have to invest time in repeated exploitation attempts through sending constant or intermittent data. So, even though this vulnerability has been publicly disclosed, exploitation is considered less likely.

The only critical vulnerability this month is CVE-2024-30044, which is a Microsoft SharePoint Server Remote Code Execution (RCE) vulnerability with a CVSS score of 8.8 out of 10. An authenticated attacker with Site Owner permission can use the vulnerability to inject arbitrary code and execute it in the context of SharePoint Server.

To exploit this vulnerability, an attacker would have to combine it with others to get authenticated as a Site Owner and be able to send especially crafted API requests to the SharePoint Server. But since Microsoft has it listed as Exploitation More Likely and Critical, we figured it was worth pointing out.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are a few major ones that you may find in your environment.

• Adobe has release security updates for several products.
• Apple released updates for Safari and several operating systems, including iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, and watchOS 10.5.
• F5 recently published important updates for BIG-IP Next Central Manager.
• Google has released an emergency security update for its Chrome browser.
• Mozilla released version 126.0 which includes the Copy Without Site Tracking option.
• SAP has released its May 2024 Patch Day updates.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.