Microsoft has issued patches for 61 newly-discovered security vulnerabilities in its software. The fixes, which arrived as part of its Patch Tuesday package of updates, also included resolutions for two zero-day exploits. Of the others, 59 are rated as ‘Important,’ while those rated ‘Critical’ and ‘Moderate’ number one each. This follows updates being issued for 30 vulnerabilities in Microsoft’s Edge browser over the previous month. 

One of the zero-day vulnerabilities identified, named CVE-2024-30051, could allow attackers to gain system privileges. The flaw was discovered by Kaspersky researchers Mert Degirmenci and Boris Larin inside a file uploaded to VirusTotal in April. “After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April, we discovered an exploit,” the pair wrote. “We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it.”

A man typing computer code into a laptop, used to illustrate a story about Microsoft issuing patches for software vulnerabilities.
Microsoft’s latest Patch Tuesday was a busy one. (Photo by Shutterstock)

Software vulnerabilities identified include two zero-days

Another one of the zero-day vulnerabilities described by Microsoft, named CVE-2024-30040, could allow a hacker to bypass OLE mitigations in its Microsoft 365 and Microsoft Office services and execute arbitrary code. “An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” it added. 

Other flaws include 11 vulnerabilities identified in Windows Mobile Broadband Driver, seven in Windows Routing and Remote Access Service (RRAS) and three each in Windows Hyper-V and Windows Common Log File System Driver. Four patches were issued to cover issues with Adobe software. 25 of the identified flaws pertained to remote code execution, while another 17 potentially allowed attackers to escalate their system privileges. Only four are related to possible spoofing dangers. 

Cybersecurity researchers warn against ignoring info disclosure vulnerabilities

Another ‘critical’ vulnerability identified in Microsoft Sharepoint named CVE-2024-30043 could, if exploited, allow an attacker to read local files using privileges suborned from SharePoint Farm’s service. 

“They could also perform an HTTP-based server-side request forgery (SSRF) and – most importantly – perform NLTM [network trust level manager] relaying as the SharePoint Farm service account,” wrote cybersecurity researcher Dustin Childs. “Bugs like this show why info disclosure vulnerabilities shouldn’t be ignored or deprioritised.”

Read more: Rheinmetall reveals last year’s hack by Black Basta cost the firm $10m