In its most recent Patch Tuesday rollout, Microsoft took on a hefty load of 59 CVEs (Common Vulnerabilities and Exposures), shining a spotlight on one particularly critical vulnerability along with three zero-day flaws
Among these, a sneaky elevation of privilege glitch lurking in the DWM Core Library beneath Microsoft Windows systems, as well as a security feature bypass nestled within the MSHTML Engine, have come to the forefront as the exploited zero-day culprits.
Satnam Narang, Senior Staff Research Engineer at Tenable, lent his expertise to dissecting the Patch Tuesday affair.
While acknowledging a noticeable dip from last month’s staggering 147 CVE count, which had set a record high, Narang cautioned against complacency, especially in light of the uptick in zero-day threats.
Zooming in on the exploit tagged with CVE-2024-30051, Narang unpacked its potential for post-compromise privilege elevation among local attackers.
Shedding light on its modus operandi, he explained, “Zero-day exploitation of an elevation of privilege flaw often signals targeted attack campaigns. Even post-patch, threat actors manage to find success exploiting these vulnerabilities.”
Narang underscored the strategic deployment of CVE-2024-30051 for initial access into target environments, hinging on social engineering tactics like phishing emails to lure unsuspecting victims into opening malicious documents.
Once breached, attackers can sidestep OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Office, effectively outmaneuvering built-in security barriers.
The recurrence of exploits targeting the DWM Core Library raised eyebrows, with Narang hinting at possible links between CVE-2024-30051 and its predecessor CVE-2023-36033.
Drawing parallels, he mused, “While specifics remain under wraps, the pattern suggests either a persistent threat actor or a patch loophole left unsealed.”
Turning to the MSHTML realm, CVE-2024-30040 emerged as the year’s first security feature bypass exploit, following a flurry of eight vulnerabilities patched in 2023. Of the previous batch, only one had been exploited in the wild as a zero-day, underscoring the evolving landscape of cyber threats.
Amidst the lineup, CVE-2024-30044 stood out as the lone ‘Critical’ contender, earning accolades from Narang for its stringent exploitation prerequisites. He elaborated, “This flaw demands authenticated access to a vulnerable SharePoint Server with elevated permissions, a barrier that may deter all but the most determined attackers.”
As the digital battleground continues to evolve, Microsoft’s Patch Tuesday saga serves as a stark reminder of the perpetual arms race between security defenders and threat actors, each maneuvering to outwit the other in a high-stakes game of cat and mouse.
