Microsoft fixes a bug abused in QakBot attacks plus a second under exploit

Happy May Patch Tuesday. We've got a lot of vendors joining this month's patchapalooza, which includes a handful of bugs that have been exploited — either in the wild or at Pwn2Own — and now fixed by Microsoft, Apple, Google and VMware.

Starting with Microsoft: Redmond disclosed and fixed 60 Windows CVEs today including two listed as publicly known and exploited prior to the patch being issued.

The first one is an elevation of privilege bug in Windows DWM core library, tracked as CVE-2024-30051, that received a 7.8 CVSS rating.  It allows an attacker to gain system privileges, so patch ASAP. 

While Microsoft doesn't provide any detail about the scale and scope of the exploit, it was spotted by several bug hunters, which indicates that it's pretty widespread. Redmond credits Kaspersky's Mert Degirmenci and Boris Larin, DBAPPSecurity WeBin Lab's Quan Jin and Guoxian Zhong, Google Threat Analysis Group's Vlad Stolyarov and Benoit Sevens, and Google Mandiant's Bryce Abdo and Adam Brunner with finding and reporting the vulnerability.

According to the Kaspersky team, CVE-2024-30051 is being abused to deploy the Qakbot banking Trojan and other malware, and they "believe that multiple threat actors have access to it."

The second that's listed as "exploitation detected" is tracked as CVE-2024-30040, and is a security feature bypass bug in Windows MSHTML that received an 8.8 CVSS score. Again, no details from Redmond about who is exploiting this vulnerability and to what scale.

According to Microsoft, an attacker could abuse this flaw by first convincing a user into loading a malicious file — probably sent via email or instant messenger. After the file is opened, the attacker could exploit the bug to bypass OLE mitigations in Microsoft 365 and Microsoft Office and then execute code.

• NHS Digital hints at exploit sightings of Arcserve UDP vulnerabilities
• The truth about KEV: CISA's vuln deadlines good influence on private-sector patching
• Patch up – 4 critical bugs in ArubaOS lead to remote code execution
• Open source programming language R patches gnarly arbitrary code exec flaw

Only one of Microsoft's 60 bugs is deemed critical, earning an 8.8 CVSS rating, so let's move on to that one next. It's a remote code execution (RCE) vulnerability in SharePoint Server tracked as CVE-2024-30044. Zero Day Initiative researcher Piotr Bazydło discovered and reported it to Microsoft, and it allows an unauthenticated attacker with site owner permission to inject and execute arbitrary code.

"They could also perform an HTTP-based server-side request forgery (SSRF), and — most importantly — perform NLTM relaying as the SharePoint Farm service account," warns ZDI's Dustin Childs. "Bugs like this show why info disclosure vulnerabilities shouldn't be ignored or deprioritized."

Apple also under attack

Apple's got several bugs and fixes this month, with the "most notable," according to Childs, being a patch for CVE-2024-23296 for iOS 16.7.8 and iPadOS 16.7.8. It's a memory corruption flaw in RTKit that could be abused to bypass kernel memory protections by an attacker with arbitrary kernel read and write capability. 

"Apple is aware of a report that this issue may have been exploited," Cupertino noted, so go ahead and update this one soon, too.

Also this week: Apple patched a bug in Safari, tracked as CVE-2024-27834, that was exploited during Pwn2Own by Master of Pwn winner Manfred Paul.

Wait, another Chrome bug under exploit?

Google pushed an update to fix a high-severity Chrome browser flaw, tracked as CVE-2024-4761, that has already been exploited by miscreants, according to the Chocolate Factory. It's a out-of-bounds write bug in V8 JavaScript engine, and in usual fashion Google doesn't provide any details about who is exploiting the CVE and for what nefarious purposes.

In addition to the emergency Chrome fix, Google released its usual monthly Android updates that patched 38 vulnerabilities. "The most severe of these issues is a critical security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed," we're told.

VMware Pwned

The virtualization giant updated VMware Workstation and Fusion software to patch four security vulnerabilities (CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, CVE-2024-22270), the most serious of which is a use-after-free vulnerability (CVE-2024-22267) in both products that received a 9.3 CVSS rating. 

"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," VMware said. 

It's worth noting that this flaw was also found and exploited during Pwn2Own by Gwangun Jung and Junoh Lee of Theori and STAR Labs SG.

Adobe addresses 37 bugs

Adobe issued eight patches for 37 bugs across its products, none of which are listed as publicly known of under exploit.

The update for Acrobat and Reader addresses 12 CVEs, nine of which are rated critical severity flaws. Adobe also patched three vulnerabilities in Illustrator, four in Substance 3D Painter, one in Aero and one in Substance 3D Designer.

Meanwhile, the update for Adobe Animate fixes seven CVEs, and FrameMaker fixes eight.

SAP secures critical CVEs

SAP released seventeen new and updated patches, including two HotNews Notes and one High Priority Note. 

The two HotNews Notes deserve top priority, according to Thomas Fritsch, SAP security researcher at Onapsis. These include security note #3455438, which received a 9.8 CVSS score and patches two critical vulnerabilities in SAP Customer Experience(CX) Commerce caused by external libraries used in SAP Commerce Cloud.

SAP security note #3448171 addresses another critical flaw, this one receiving a 9.6 CVSS score. It patches a file upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform.

"The Onapsis Research Labs (ORL) detected that due to a missing signature check for two content repositories, an unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise the system," Fritsch explained.

Last but not least…Intel

And rounding out this month's patch party, Intel weighed in with a whopping 41 updates.

Only one of these security updates is deemed critical, and it fixes an escalation of privilege bug (CVE-2024-22476) in Intel Neural Compressor software before version 2.5.0 that could be exploited by an remote, unauthenticated user. It received a perfect 10 out of 10 CVSS rating, so start with this update.

The same product update also addresses a lesser flaw (CVE-2024-21792) with a medium, 4.7 CVSS rating. This one is a time-of-check time-of-use (TOC/TOU) race condition that could be exploited for information disclosure by an unauthenticated user with local access. ®