Urgent Security Update: Microsoft Patches 61 Vulnerabilities, 3 Zero-Days
Microsoft has unveiled the May Patch Tuesday update, which includes fixes for 61 vulnerabilities, including three zero-day vulnerabilities that were either actively exploited or publicly disclosed prior to the patch.
Among all the addressed vulnerabilities, only one was deemed critical— a remote code execution vulnerability in Microsoft SharePoint Server. The distribution of vulnerabilities by category is as follows:
- 17 privilege escalation vulnerabilities
- 2 security feature bypass vulnerabilities
- 27 remote code execution vulnerabilities
- 7 information disclosure vulnerabilities
- 3 denial of service vulnerabilities
- 4 spoofing vulnerabilities
This extensive list does not include two Microsoft Edge vulnerabilities fixed on May 2nd and another four fixed on May 10th.
Zero-Day Vulnerability Fixes
A zero-day vulnerability is one that has been publicly disclosed or actively exploited in real-world attacks before an official patch is released. This time, Microsoft has addressed three such vulnerabilities:
- CVE-2024-30040 (CVSS score 8.8): A security feature bypass vulnerability in the Windows MSHTML platform, allowing attackers to execute arbitrary code through vulnerable COM/OLE controls.
- CVE-2024-30051 (CVSS score 7.8): A privilege escalation vulnerability in the Windows DWM core library, enabling attackers to obtain SYSTEM privileges.
- CVE-2024-30046 (CVSS score 5.9): A denial of service vulnerability in Visual Studio caused by a race condition during parallel execution using a shared resource.
In addition to fixing these zero-day vulnerabilities, Microsoft has resolved an issue that caused VPN connections in Windows to fail after installing the April security updates. These fixes are also included in the latest Patch Tuesday update and can be applied simultaneously.
Microsoft has demonstrated a responsible approach by releasing the May updates to address critical vulnerabilities in Windows and related products. The timely release of patches, along with their prompt installation by users, helps protect vulnerable devices and minimize the risks of cyberattacks.
