Patch Tuesday roundup for May 2024

· 1 MIN READ · MATT JASTRAM · MAY 14, 2024 · TAGS: MDR / vulnerability prioritization

This Patch Tuesday includes 67 published CVEs from Microsoft, and VMware joins the party with four CVEs of its own.

Patch Tuesday, May 2024 edition, is out, so our team reviewed the released patches. Here are our top takeaways.

Microsoft’s May patch release was a 55% reduction in CVEs from April. They must have sent folks to RSA Conference, or maybe they felt sorry for the industry! There’s some evidence threat actors are exploiting these vulnerabilities in the wild, so here are some steps we recommend to reduce exploit risk:

  • Exploit evidence exists for Windows DWM Core Library Elevation of Privilege Vulnerability. We recommend remediation. Microsoft’s site acknowledges that threat actors are exploiting CVE-2023-36033. Some researchers have even publicly stated that there’s evidence that the malware family QakBot has leveraged the CVE.
  • Remediate Microsoft Office SharePoint Remote Code Execution (RCE) vulnerability. This CVE was Microsoft’s only ‘Critical-ly” acclaimed CVE-2024-30044 for May. The Microsoft SharePoint Server Remote Code Execution flaw enables an authenticated attacker with Site Owner permissions (or higher) to upload a crafted file to the targeted Sharepoint Server, and with crafty API requests, trigger deserialization of the file’s parameters. Ultimately, the attacker will perform RCE in the context of the Sharepoint Server.

VMware Security Update

  • Remediate a critical VMware Workstation (Windows 17.x) & Fusion (MAC OS X 13.x) weakness that contains a use-after-free CVE-2024-22267 vulnerability in the virtual machine’s ‘vbluetooth’ device. If a threat actor gains local admin access to a virtual machine, they’re able to execute code on the virtual machine’s VMX process running on the host. VMware did post a compensating control or workaround.
  • Similarly vulnerabilities, but only classified as “Important”:
    • CVE-2024-22268 heap buffer-overflow Vulnerability in Shader functionality
    • CVE-2024-22269 Information Disclosure Vulnerability in ‘vbluetooth’ device
    • CVE-2024-22270 Information Disclosure Vulnerability ‘vbluetooth’ device

That’s it for this month. If you have any questions about these specific vulnerabilities (and others on the Patch Tuesday list)—or if you’re interested in learning how Expel Vulnerability Prioritization can give you context for your own environment—feel free to get in touch.