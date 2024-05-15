A critical vulnerability affecting Microsoft SharePoint Server, and two zero-day flaws in Windows MSHTML Platform and Windows Desktop Window Manager (DWM) Core Library should be top-of-mind for administrators, as Microsoft releases its monthly Patch Tuesday update addressing over 60 bugs and issues.

The SharePoint Server flaw – which stands as the only critical vulnerability in the May 2024 drop – is a remote code execution (RCE) vulnerability tracked as CVE-2024-30044. Details of it have not yet been made public, and nor does it appear to have been exploited in the wild.

Microsoft said that if an authenticated attacker has obtained site owner permissions, they could exploit CVE-2024-30044 to upload a specially crafted file to the victim server and create specialised application programming interface (API) requests to trigger the deserialisation of the file’s parameters. In this way, they could then achieve RCE in the context of the compromised server.

The fact that CVE-2024-30044 stems from an untrusted data deserialisation issue makes it particularly problematic, explained Mike Walters, president and co-founder of Action1, because it allows attackers to inject and execute arbitrary code during the deserialisation process.

“An attacker with basic Site Viewer permissions could leverage this vulnerability to execute code remotely, enabling activities such as deploying web shells, installing malware or extracting sensitive data,” said Walters. “If an attacker gains initial access through other means, such as phishing or another vulnerability, they could use CVE-2024-30044 to establish a more persistent and powerful foothold within the network.

“Combining this vulnerability with another that allows privilege escalation could enable attackers to transition from initial access to full administrative control,” he said.

“This can facilitate persistence within the network and make detection more challenging. Upon establishing control, attackers could use further tools to exfiltrate sensitive data from the SharePoint Server, potentially leading to significant data breaches. Additionally, once remote code execution is achieved, threat actors might deploy ransomware to encrypt critical files on the SharePoint Server, demanding a ransom for the decryption keys.”

Object linking and embedding The two zero-day flaws this month are CVE-2024-30040, a security feature bypass vulnerability in Windows MSHTML Platform, and CVE-2024-30051, an elevation of privilege (EoP) vulnerability in Windows DWM Core Library. On the first of these, Microsoft revealed how it essentially lets a malicious actor bypass object linking and embedding (OLE) protections in Microsoft 365 and Microsoft Office by getting a user to load a tainted file onto a vulnerable system via a phishing email or instant message and convincing them to manipulate it, though not necessarily to click on or open it. This would give the unauthenticated attacker the ability to execute arbitrary code presenting as the victim.