Akamai’s Perspective on May’s Patch Tuesday 2024
We only have one Star Wars Day a year, but 12 Patch Tuesdays, which is a terrible ratio if you ask me…
Anyway, this May’s update contains 59 CVEs, only one of them critical (in Microsoft SharePoint Server), but it also includes patches for two vulnerabilities found in the wild.
In this blog post, we’ll assess how critical the vulnerabilities are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched:
Vulnerabilities found in the wild
CVE-2024-30040 — Windows MSHTML platform
MSHTML is a web page renderer for the Windows operating system. It exposes a Component Object Model (COM) interface to allow programs to add web-rendering capabilities. It is used by Internet Explorer, Microsoft Edge’s Internet Explorer mode, Microsoft Outlook, and various other programs.
There have been multiple vulnerabilities found in the MSHTML platform (including some found by Akamai researchers), and it is an attractive exploitation target for attackers because of its ability to circumvent defense mechanisms and the fact that it is a built-in feature in Windows.
This time, according to the Microsoft Security Response Center (MSRC), the vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office. The vulnerability requires attackers to convince users to download and open a malicious file via some form of social engineering, and once the malicious file opens and the vulnerability triggers, it allows code execution under the victim user’s context.
CVE-2024-30051 — Windows DWM Core Library
Unlike the previous vulnerability, this is a privilege escalation vulnerability in the Windows Desktop Window Manager (DWM). The DWM is responsible for managing the visible windows on the screen; it has been part of Windows since Windows Vista and it is implemented in the dwm.exe process.
The vulnerability was detected by Kaspersky, and it was seen to be abused by the QakBot Trojan campaign.
Microsoft SharePoint is a web-based document management and storage system that integrates with other Microsoft Office products. There are two CVEs this month, one a critical remote code execution (RCE) vulnerability with an 8.8 CVSS score (CVE-2024-30044) and the other is an information disclosure vulnerability with a 6.5 CVSS score (CVE-2024-30043).
CVE-2024-30044 requires attackers to authenticate to the SharePoint server with an account that has at least SiteOwner permissions. After authentication, they need to upload a crafted file and access it using an API request. This would trigger a deserialization of file parameters and cause code injection into the SharePoint server process. According to the MSRC, this vulnerability is “more likely to be exploited,” meaning that the vulnerability is not complex to trigger despite the numerous steps involved.
CVE-2024-30043 also requires authentication, and it allows attackers to get file content on the server. Depending on the user privileges the attackers possess, the scope of files they can access increases.
In our observations, we’ve seen that approximately 30% of environments had at least one machine with a SharePoint server installed on it.
Since SharePoint servers are usually meant to be used for document sharing, it might be difficult to segment or limit user access to them without harming normal operations. Therefore, we recommend that you patch your server as soon as possible.
However, since both CVEs require user authentication, it might be possible to mitigate some of the risks by hardening user access, or by increasing alert sensitivity on suspicious user activity or logins.
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Remote code execution |
Network |
||
Remote code execution |
Network, user needs to connect to a malicious SQL server |
||
Denial of service |
Network |
||
Information disclosure |
Local |
||
Spoofing |
Network, authentication required |
||
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.