Microsoft Security Update Summary (May 14, 2024)

Posted on 2024-05-14 by guenni

Update[German]On May 14, 2024, Microsoft released security updates for Windows clients and servers, for Office and for other products. The security updates fix 49 vulnerabilities (CVEs), including three critical vulnerabilities. Below is a compact overview of these updates that were released on Patchday.

Advertising

Notes on the updates

A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office etc. are available in separate blog posts.

Windows 10/11, Windows Server

All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes for errors or new features.

Windows Server 2012 R2

Windows Server 2012 /R2 will receive regular security updates until October 2023. After this date, an ESU license will be required to obtain further security updates (Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).

Fixed vulnerabilities

Tenable has this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:

  • CVE-2024-30051: Windows DWM Core Library Elevation of Privilege vulnerability, CVEv3 Score 7.8, important; A local attacker present on a vulnerable system could exploit this vulnerability to gain SYSTEM privileges. The discovery of this vulnerability is attributed to several researchers from Google Threat Analysis Group, Google Mandiant and Kaspersky. It is also attributed to Quan Jin of DBAPPSecurity WeBin Lab. Kaspersky researchers have linked this zero-day vulnerability to QakBot and other malware. Microsoft pointed out that the vulnerability was exploited as a zero-day and became public knowledge before a patch was available.
  • In addition to CVE-2024-30051, Microsoft has closed two other EoP vulnerabilities in the DWM Core Library (CVE-2024-30032CVE-2024-30035) and an information disclosure vulnerability (CVE-2024-30008). All three vulnerabilities were disclosed to Microsoft by Zhang WangJunJie and He YiSheng from the Hillstone Network Security Research Institute.
  • CVE-2024-30040: Windows MSHTML Platform Security Feature Bypass Vulnerability, CVEv3 Score 8.8, important; It is a vulnerability in the MSHTML (Trident) engine of Microsoft Windows that has been exploited as a zero-day. It has a CVSSv3 score of 8.8 and is classified as important. An attacker could exploit this vulnerability by using social engineering tactics via email, social media or instant messaging to trick a target user into opening a specially crafted document. Once the vulnerability has been exploited, an attacker could execute code on the target system.
  • CVE-2024-30046: Denial of Service (DoS) vulnerability affecting multiple versions of Microsoft Visual Studio 2022. CVEv3 Score 5.9, important; The vulnerability was publicly known before a patch was made available. According to Microsoft's Exploitability Index, the vulnerability is classified as "Exploitation Less Likely" and the attack complexity as high. This is due to the fact that an attacker would have to "invest time in repeated exploitation attempts" by sending "constant or intermittent data" to a target system. DoS attacks often require a constant stream of requests to overwhelm a target system, so these ratings are to be expected.
  • CVE-2024-30044: Microsoft SharePoint Server Remote Code Execution Vulnerability, CVEv3 Score8.8, critical; This vulnerability is rated as "Exploitation Likely". To exploit this vulnerability, an attacker who has authenticated to a vulnerable SharePoint server with the site owner's privileges must perform two steps: 1) the attacker must upload a specially crafted file to the vulnerable SharePoint server and 2) send specially crafted API requests to the SharePoint server to "trigger deserialization of the file parameters". Successful exploitation would lead to remote code execution "in the context of the SharePoint server".

A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:

Advertising
  • NET and Visual Studio
  • Azure Migrate
  • Microsoft Bing
  • Microsoft Brokering File System
  • Microsoft Dynamics 365 Customer Insights
  • Microsoft Intune
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows SCSI Class System File
  • Microsoft Windows Search Component
  • Power BI
  • Windows Cloud Files Mini Filter Driver
  • Windows CNG Key Isolation Service
  • Windows Common Log File System Driver
  • Windows Cryptographic Services
  • Windows Deployment Services
  • Windows DHCP Server
  • Windows DWM Core Library
  • Windows Hyper-V
  • Windows Kernel
  • Windows Mark of the Web (MOTW)
  • Windows Mobile Broadband
  • Windows MSHTML Platform
  • Windows NTFS
  • Windows Remote Access Connection Manager
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Task Scheduler
  • Windows Win32K – GRFX
  • Windows Win32K – ICOMP

Similar articles:
Office Updates May 7, 2024
Microsoft Security Update Summary (May 14, 2024)
Patchday: Windows 10-Updates (May 14, 2024)
Patchday: Windows 11/Server 2022-Updates (May 14, 2024)
Windows Server 2012 / R2 and Windows 7 (May 14, 2024)
Microsoft Office Updates (May 14, 2024)

Advertising
This entry was posted in Office, Security, Software, Update, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).