Patch Tuesday May 2024: Important Fix for Exploit Used by Qakbot

It may have fewer total fixes for vulnerabilities than last month, but May’s Patch Tuesday still addresses some important zero-day vulnerabilities—one of which has been under exploitation by multiple threat actors since at least April. With three vulnerabilities known to be in use by threat actors, and one that has been publicly disclosed there is still some urgency this month to pushing updates even though the number of severity ratings are comparatively low against the previous few months.

Microsoft Vulnerabilities

May’s Patch Tuesday brings fixes for a total of 61 vulnerabilities, with informational changes to five vulnerabilities. Only one vulnerability is rated as Critical, 11 as Exploitation More Likely and three designated as zero-day vulnerabilities. Two of the zero-days being under Active Exploitation and one being publicly disclosed, but marked as Exploitation Less Likely.

Included in this month’s Patch Tuesday release notes from Microsoft are Chromium-based Edge browser vulnerabilities. While Edge browser vulnerabilities are commonly addressed by Chromium updates that happen outside of the Microsoft’s Patch Tuesday window, the addition of the vulnerabilities into the release notes does bring up the topic of needing to be familiar with how and when the Microsoft Edge browser is updated.

The big vulnerability fix of the month is CVE-2024-30051 that addresses a Windows Desktop Window Manager (DWM) exploit that would allow an attacker to gain system privileges as part of an elevation attack. Being an attack that requires no user interaction beyond opening a file, the threshold for attackers leveraging the vulnerability is rather low and it has already been used to deliver Qakbot and other malware payloads. It also affects multiple Windows 10 and Windows 11 builds as well as Windows Server 2016 and up.

CVE-2024-30040 is another zero-day vulnerability Under Active Exploitation that targets Windows MSHTML platform, which is used to render browser-based content and finds itself being relied upon by multiple Window components including Office 365 and Microsoft Office applications. Information on this vulnerability is sparse so as of print it is unknown how or where the vulnerability has been abused. It allows for execution of arbitrary code in the context of the current Windows user simply by opening a malicious document. Chaining this vulnerability with another vulnerability that allows for privilege escalation could result in compromise of a system. As this vulnerability is Under Active Exploitation and scores a CVSS of 8.8, it along with CVE-2024-30051 should be plenty of motivation to patch systems as soon as possible.

The final Microsoft zero-day of May is CVE-2024-30046 affecting Visual Studio 2022, .NET 8.0 and .NET 7.0. This denial of service vulnerability only carries a CVSS of 5.9 and is marked as being publicly disclosed but Not Under Active Exploitation. This is a great example of how only focusing on zero-days because they sound more dangerous can make you less resilient against other threats that might fly under your radar, even though they are actively being exploited.

The only critical vulnerability of the month from Microsoft is CVE-2024-30044 affecting Microsoft SharePoint Server 2016, 2019 and Subscription Edition. The small footprint of SharePoint on premise servers means it’s unlikely many will need to be concerned with addressing this vulnerability but the critical rating and being marked as Exploitation More Likely does mean those who are running on-premise SharePoint will need to have another priority item to patch.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd