Vulnerability Management, Patch/Configuration Management, Malware

Microsoft fixes exploited Qakbot-delivering 0-day in May Patch Tuesday

Entreprise Microsoft logo

This month’s Patch Tuesday security update saw Microsoft issue fixes for 60 vulnerabilities, including three zero-day bugs, two of which were being exploited in the wild.

Click for more special coverage

Researchers said one of the exploited zero-days, tracked as CVE-2024-30051, was likely being abused by several threat actors to deliver Qakbot and other malware.

Multiple researchers from Kaspersky, DBAPPSecurity, Google’s Threat Analysis Group, and Mandiant were credited with reporting the bug, a Windows DWM (Desktop Window Manager) Core Library elevation of privilege (EoP) vulnerability.

In a post, Kaspersky’s Boris Larin and Mert Degirmenci said they stumbled across it while following up on another DWM Core Library EoP bug, CVE-2023-36033. Their research uncovered a document uploaded to VirusTotal that set out the exploitation process for the new vulnerability.

During subsequent monitoring, the Kaspersky duo observed the vulnerability being exploited in mid-April.

“We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it,” the pair wrote.

“We are going to publish technical details about CVE-2024-30051 once users have had time to update their Windows systems.”

Microsoft said an attacker who successfully exploited the vulnerability could gain SYSTEM privileges and gave it a CVSS score of 7.8.

Urgent patching of exploited bug recommended

Saeed Abbasi, vulnerability research manager at Qualys Threat Research Unit, said the DWM Core Library EoP bug’s ability to enable attackers to gain SYSTEM privileges made it a vital security threat.

“Exploitation is feasible with low attack complexity and no user interaction, increasing the likelihood of widespread attacks. The involvement of multiple recognized security researchers highlights the importance of this vulnerability in security circles, which could lead to increased attempts at exploitation,” Abbasi said.

“Organizations must prioritize immediate patching as the vulnerability is publicly known and functional exploits exist.”

The second zero-day known to be exploited, CVE-2024-30040, was a Windows MSHTML Platform security feature bypass flaw with a CVSS score of 8.8.

“This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” Microsoft said in its advisory.

“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user.”

A third zero-day, CVE-2024-30046, a Visual Studio denial of service vulnerability, had not been exploited and Microsoft assessed the risk of exploitation as “less likely,” noting an attacker would need to “invest time in repeated exploitation attempts through sending constant or intermittent data.”

SharePoint Server bug rated "critical"

Only one of the flaws addressed this month was rated critical by Microsoft, with the rest (including the three zero-days) described as important, except for a lone vulnerability classed as moderate.

The critical vulnerability, CVE-2024-30044, was a SharePoint Server remote code execution bug with a CVSS score of 8.8. It was among those flaws addressed this month that were considered more likely to be exploited.

“An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted SharePoint Server and craft specialized API requests to trigger deserialization of file’s parameters,” Microsoft said.

“This would enable the attacker to perform remote code execution in the context of the SharePoint Server.”

May’s Microsoft Patch Tuesday vulnerability count was well down of the record-setting 147 flaws the company addressed in last month’s security update.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.