Microsoft has issued a fresh batch of security updates as part of its May 2024 Patch Tuesday release that address around 60 security vulnerabilities across various software products, including a couple of zero-days exploited in the wild.
The first zero-day vulnerability, CVE-2024-30051, is a heap-based buffer overflow issue, which exists due to a boundary error within the Windows DWM Core Library. A local user can trigger a heap-based buffer overflow and execute arbitrary code with SYSTEM privileges. The flaw affects Windows versions before 11 23H2 10.0.22631.3593, and Windows Server versions prior to 2022 10.0.20348.2461. This vulnerability was previously linked to the QakBot botnet dismantled as part of a global police operation in August 2023.
The second zero-day flaw, CVE-2024-30040, is a Windows MSHTML platform security feature bypass issue, which can lead to remote code execution via a specially crafted file bypassing OLE mitigations in Microsoft 365 and Microsoft Office. The vulnerability impacts Microsoft Internet Explorer v11 - 11.1790.17763.0, Windows versions before 11 23H2 10.0.22631.3593, and Windows Server releases before 2022 10.0.20348.2461.
p> In addition, Microsoft fixed a publicly disclosed denial of service 9DoS) vulnerability (CVE-2024-30046) affecting multiple versions of Microsoft Visual Studio 2022.
Among fixed are also a number of high-risk vulnerabilities in various software, including Microsoft .NET and Visual Studio, Microsoft Edge, Microsoft Excel, Microsoft WDAC OLE DB provider for SQL Server, Microsoft RRAS, and Microsoft Windows Cryptographic Services.