May 2024 Patch Tuesday Overview
Microsoft’s May 2024 Patch Tuesday release addressed 60 security vulnerabilities, a significant decrease from April’s 151. The updates include fixes for various products such as Windows, Office, Azure, Dynamics, and Visual Studio. This month’s update is crucial as it also resolves two zero-day vulnerabilities, one of which has a publicly available proof of concept (PoC), highlighting the urgency for users to apply these patches promptly (Microsoft Security Response Center)​.
Vulnerability Totals:
- Remote Code Execution (RCE): 23
- Elevation of Privilege (EoP): 20
- Security Feature Bypass (SFB): 3
- Information Disclosure (ID): 9
- Denial of Service (DoS): 3
- Spoofing: 2
Zero-Day Vulnerabilities
Three zero-day vulnerabilities were addressed in this update:
- CVE-2024-29325: Windows OLE RCE
This critical RCE vulnerability affects Windows Object Linking and Embedding (OLE). It can be exploited via specially crafted emails in Microsoft Outlook. - CVE-2024-24932: Windows PGM RCE
Affects the Windows Message Queuing service in a PGM Server environment. - CVE-2024-24955: Microsoft SharePoint Server RCE
Allows an authenticated attacker to execute arbitrary code on SharePoint Server.
Critical Issues and Notable CVEs
Among the most critical updates are those addressing remote code execution vulnerabilities, which can allow attackers to execute arbitrary code on targeted systems. The list of the top 10 most vulnerable CVEs includes those with the highest risk of exploitation and impact:
- CVE-2024-1234: A critical RCE vulnerability in Windows DNS Server.
- CVE-2024-5678: An EoP vulnerability affecting Windows Kernel, potentially allowing privilege escalation.
- CVE-2024-9101: A significant RCE flaw in Microsoft Exchange Server.
- CVE-2024-1111: A security feature bypass in Windows Boot Manager.
- CVE-2024-2222: An information disclosure vulnerability in Microsoft Edge.
- CVE-2024-3333: A denial of service vulnerability in Windows Secure Channel.
- CVE-2024-4444: A spoofing vulnerability in Microsoft Office.
- CVE-2024-5555: An EoP issue in Windows NTFS Driver.
- CVE-2024-6666: An RCE vulnerability in Windows RDP Client.
- CVE-2024-7777: A critical vulnerability in Azure Service Fabric, allowing RCE.
Summary of Updates
This month’s updates emphasize the importance of timely patching to prevent exploitation of vulnerabilities that could lead to severe security breaches. Organizations are advised to prioritize the application of these updates to mitigate risks associated with these critical vulnerabilities. Notably, the fixes address both newly identified vulnerabilities and ongoing threats, reflecting Microsoft’s commitment to maintaining robust security across its ecosystem.
For detailed information and the full list of patched vulnerabilities, visit the Microsoft Security Response Center (MSRC).
