System administrators have over 60 CVEs to address in the latest Microsoft Patch Tuesday, including three zero-day vulnerabilities.
Of these three zero-day bugs, two have been actively exploited in the wild, the most prominent of which (CVE-2024-30051) has been used to deliver QuakBot and other malware.
It is an elevation of privilege vulnerability which stems from a heap-based buffer overflow in the Windows Desktop Window Manager (DWM) Core Library.
Action1 president, Mike Walters, warned that it could pose a significant risk to environments with “numerous and diverse local users,” like corporate networks and academic institutions.
“This vulnerability can be exploited by a low-privileged local user on a shared system to gain system-level access, which could allow them to install software, alter or delete data, and modify system settings destructively. Alternatively, malware utilizing a multi-stage payload might leverage this exploit to increase its privileges and further compromise the system,” he explained.
“Furthermore, an attacker might use a less severe vulnerability as an entry point to gain initial low-level access to a machine and then exploit CVE-2024-30051 to escalate their privileges from a low-privileged account to system, thereby gaining extensive control over the machine.”
These privileges could be used to disable security features, steal sensitive data or conduct lateral movement across a victim network, Walters added.
Read more on Patch Tuesday: Microsoft Fixes Two Zero-Days in February Patch Tuesday
The second actively exploited zero-day is CVE-2024-30040, a Windows MSHTML platform security feature bypass flaw.
“Windows MSHTML is a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer 11 desktop application has reached the end of support, MSHTML vulnerabilities are still relevant today and are being patched by Microsoft,” explained Qualys technical content developer Diksha Ojha.
“The vulnerability can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls. An unauthenticated attacker may exploit this vulnerability to execute code by convincing a user to open a malicious document.”
Finally, Microsoft also patched a denial-of-service flaw in Microsoft Visual Studio (CVE-2024-30046) which it claimed was publicly disclosed but not currently exploited.
The only critical CVE of the 61 fixed this month was CVE-2024-30044, a remote code execution (RCE) bug in Microsoft SharePoint Server.
Image credit: Framalicious / Shutterstock.com