View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Microsoft issues patches for over 60 software vulnerabilities

Microsoft’s list of bugs included two zero-day vulnerabilities currently under active exploitation.

By Greg Noone

Microsoft has issued patches for 61 newly-discovered security vulnerabilities in its software. The fixes, which arrived as part of its Patch Tuesday package of updates, also included resolutions for two zero-day exploits. Of the others, 59 are rated as ‘Important,’ while those rated ‘Critical’ and ‘Moderate’ number one each. This follows updates being issued for 30 vulnerabilities in Microsoft’s Edge browser over the previous month. 

One of the zero-day vulnerabilities identified, named CVE-2024-30051, could allow attackers to gain system privileges. The flaw was discovered by Kaspersky researchers Mert Degirmenci and Boris Larin inside a file uploaded to VirusTotal in April. “After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April, we discovered an exploit,” the pair wrote. “We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it.”

A man typing computer code into a laptop, used to illustrate a story about Microsoft issuing patches for software vulnerabilities.
Microsoft’s latest Patch Tuesday was a busy one. (Photo by Shutterstock)

Software vulnerabilities identified include two zero-days

Another one of the zero-day vulnerabilities described by Microsoft, named CVE-2024-30040, could allow a hacker to bypass OLE mitigations in its Microsoft 365 and Microsoft Office services and execute arbitrary code. “An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” it added. 

Other flaws include 11 vulnerabilities identified in Windows Mobile Broadband Driver, seven in Windows Routing and Remote Access Service (RRAS) and three each in Windows Hyper-V and Windows Common Log File System Driver. Four patches were issued to cover issues with Adobe software. 25 of the identified flaws pertained to remote code execution, while another 17 potentially allowed attackers to escalate their system privileges. Only four are related to possible spoofing dangers. 

Cybersecurity researchers warn against ignoring info disclosure vulnerabilities

Another ‘critical’ vulnerability identified in Microsoft Sharepoint named CVE-2024-30043 could, if exploited, allow an attacker to read local files using privileges suborned from SharePoint Farm’s service. 

“They could also perform an HTTP-based server-side request forgery (SSRF) and – most importantly – perform NLTM [network trust level manager] relaying as the SharePoint Farm service account,” wrote cybersecurity researcher Dustin Childs. “Bugs like this show why info disclosure vulnerabilities shouldn’t be ignored or deprioritised.”

Read more: Rheinmetall reveals last year’s hack by Black Basta cost the firm $10m

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.