Microsoft Patch Tuesday, May'24: Over 60 vulnerabilities fixed
Install the security patches immediately
3 min. read
Published on
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
If you are a part of the Microsoft ecosystem, it’s vital to understand what vulnerabilities were fixed in the latest Patch Tuesday. In May 2024, Microsoft released patches for 60 vulnerabilities, including two zero days.
For the unversed, Zero Day vulnerabilities are the ones that have been identified and disclosed, but a patch hasn’t been released yet.
Vulnerabilities addressed in Microsoft Patch Tuesday, May 2024
The two zero days patched this time around are:
CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege Vulnerability)
One of the most severe existing vulnerabilities, it received a CVSS rating of 7.8. Other than that the fact that it allowed an attacker to gain access to the system, Microsoft failed to share much about the vulnerability.
Available reports suggest that the vulnerability was being actively exploited to load malware on the end user’s PC, including the Qakbot banking trojan.
CVE-2024-30040 (Windows MSHTML Platform Security Feature Bypass Vulnerability)
Granted a CVSS score of 8.8, Microsoft explains that for this vulnerability to be exploited, attackers have to convince the end user to load a malicious file (even a document), which would then allow them the code execution privileges.
Both these vulnerabilities are critical and actively exploited. We recommend you download the patch right away from the dedicated page, depending on the Windows version and the system architecture.
Of the security updates released by Microsoft, here’s a quick classification:
Category | Number of Vulnerabilities |
Remote Code Execution Vulnerability | 27 |
Elevation of Privilege Vulnerability | 17 |
Information Disclosure Vulnerability | 7 |
Spoofing Vulnerability | 4 |
Denial of Service Vulnerability | 3 |
Security Feature Bypass Vulnerability | 2 |
These include security updates for Microsoft Edge (Chromium-based), Microsoft 365, Power BI, Windows Cloud Files Mini Filter Driver, Windows Task Scheduler, Microsoft Windows Search Component, and Windows Common Log File System Driver, amongst others.
It’s also vital to separately mention the CVE-2024-30044 SharePoint Server Remote Code Execution vulnerability, the only one in the list to be marked as Critical. It has a CVSS score of 8.8. Microsoft’s official website, while explaining the exploitation process, reads,
An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted Sharepoint Server and craft specialized API requests to trigger deserialization of file’s parameters. This would enable the attacker to perform remote code execution in the context of the Sharepoint Server.
Download the security patches for all the vulnerabilities that apply to you, and work stress-free in a secure environment.
Also, Microsoft has confirmed that the hotpatching feature is now available. So you won’t have to reboot the device after installing the update for the changes to come into effect!
Do you know any vulnerabilities that weren’t addressed in this Microsoft Patch Tuesday? Share with our readers in the comments section.
User forum
0 messages