Microsoft Patch Tuesday
This month’s Patch Tuesday has security updates to fix 3 actively exploited zero-days and a total of 61 vulnerabilities.
Fixes for multiple products were released as usual – including 1 Critical severity vulnerability and 27 for Remote Code Execution.
The most important patches are:
CVE-2024-30040 – Windows MSHTML Platform Security Feature Bypass Vulnerability. A bypass to OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls. An unauthenticated attacker could gain code execution through convincing a user to open a malicious document. CVSS 3.1: 8.8 (High)
CVE-2024-30051 – Windows DWM Core Library Elevation of Privilege Vulnerability. A vulnerability in Windows DWM Core Library that could allow privilege escalation to SYSTEM. CVSS 3.1: 7.8 (High)
The patches this month break down as follows:
- 27 Remote Code Execution
- 17 Privilege Escalation
- 7 Information Disclosure
- 4 Spoofing
- 3 Denial of Service
- 2 Security Feature Bypass
Affected Products
- .NET and Visual Studio
- Azure Migrate
- Microsoft Bing
- Microsoft Brokering File System
- Microsoft Dynamics 365 Customer Insights
- Microsoft Edge (Chromium-based)
- Microsoft Intune
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows SCSI Class System File
- Microsoft Windows Search Component
- Power BI
- Visual Studio
- Windows Cloud Files Mini Filter Driver
- Windows CNG Key Isolation Service
- Windows Common Log File System Driver
- Windows Cryptographic Services
- Windows Deployment Services
- Windows DHCP Server
- Windows DWM Core Library
- Windows Hyper-V
- Windows Kernel
- Windows Mark of the Web (MOTW)
- Windows Mobile Broadband
- Windows MSHTML Platform
- Windows NTFS
- Windows Remote Access Connection Manager
- Windows Routing and Remote Access Service (RRAS)
- Windows Task Scheduler
- Windows Win32K – GRFX
- Windows Win32K – ICOMP