Microsoft's May Patch Tuesday instalment offers patches for 61 total vulnerabilities, a decrease from the 150 seen in April. Of these, only 1 critical vulnerability was patched with 2 publicly disclosed, and 2 exploited in the wild.
The only critical vulnerability to be patched this month targets Microsoft SharePoint Server and, if exploited successfully, allows an authenticated attacker with site owner permission to perform remote code execution. The attacker is required to upload a specially crafted file to the targeted SharePoint Server and craft specialized API requests to trigger deserialization of a file's parameters. While attack complexity for this vulnerability is low, the attacker is required to have highly elevated privileges before exploitation is possible. An official fix is available for this flaw, which should be patched as soon as possible.
This actively exploited, important, vulnerability exists in Windows MSHTML, a core component that is used to render browser-based content. This flaw bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls, allowing an unauthenticated attacker to gain code execution.
To successfully exploit this vulnerability, an attacker would have to entice the victim to load a malicious file onto a vulnerable system and then convince the user to manipulate the specially crafted file. Max severity for this flaw is important.
This important, publicly disclosed vulnerability in Visual Studio could result in denial-of-service if exploited correctly. Microsoft has noted that the “successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data” based on CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') however further information is limited.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-May
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.