Microsoft released its monthly batch of security fixes on Tuesday, which included patches for three vulnerabilities that already had exploits available. Two of those vulnerabilities are being actively exploited, with one being used by multiple groups to deliver malware, including the QakBot trojan.
Microsoft’s updates addressed 61 vulnerabilities across its products, but only one was rated critical: a remote code execution flaw in SharePoint Server (CVE-2024-30044). However, successful exploitation of this flaw requires attackers to take additional steps in order to prepare the target environment.
Despite not being rated critical, two other vulnerabilities should definitely be prioritized by organizations: a privilege escalation flaw in the Windows Desktop Window Manager (DWM) core library tracked as CVE-2024-30051 and a security feature bypass in the Windows MSHTML platform (CVE-2024-30040). Both flaws are currently exploited in the wild.
Exploit discovered by chance
The DWM vulnerability was discovered by researchers from antivirus vendor Kaspersky Lab while they were searching for exploits for an older vulnerability in the same Windows component that was patched last year. That vulnerability, tracked as CVE-2023-36033, was also disclosed as a zero-day and was used in attacks.
When searching for different patterns related to that exploit to identify new samples and attacks it might have been used in, the Kaspersky researchers found a document uploaded to the Virus Total online scanning engine on April 1. That document, written in broken English, seemed to describe a new DWM vulnerability for which the exploitation steps were nearly identical to those for the older CVE-2023-36033 flaw.
“Judging by the quality of the writing and the fact that the document was missing some important details about how to actually trigger the vulnerability, there was a high chance that the described vulnerability was completely made up or was present in code that could not be accessed or controlled by attackers,” Kaspersky’s researchers wrote in a blog post. “But we still decided to investigate it, and a quick check showed that this is a real zero-day vulnerability that can be used to escalate privileges.”
After reporting their findings to Microsoft and confirming that it was a real exploit for a new vulnerability, the Kaspersky researchers started looking through its telemetry for signs that it might have been used in attacks and it wasn’t long until they found some.
In mid-April they started seeing the exploit used in attacks that deployed QakBot, aka Qbot, a trojan program and botnet that has long been used as a malware distribution platform by many cybercriminal groups, including ransomware gangs. FBI and CISA issued an alert last week about the Black Basta ransomware group targeting healthcare and critical infrastructure organizations; QakBot is one of the methods used by Black Basta affiliates to gain access to corporate networks.
In addition to QakBot, the Kaspersky researchers have seen other payloads deployed with the exploit for the new CVE-2024-30051 vulnerability, including the Cobalt Strike beacon. As a result, Kaspersky has concluded that the exploit is currently known and being used by multiple groups.
It’s worth noting that CVE-2024-30051 cannot be used to gain initial access. It is a privilege escalation flaw that enables attackers to gain full system control (SYSTEM privileges) once they’re already able to execute malware on a computer.
OLE security bypass
The second vulnerability exploited in the wild affects the Windows MSHTML platform, enabling attackers to bypass Microsoft Object Linking & Embedding (OLE) defenses in Microsoft 365 and Microsoft Office.
OLE allows Office documents to embed links to external objects and documents that could call other programs. Attackers have long been known to exploit this feature with techniques such as OLE template injection to execute malicious code from custom-crafted files. For this reason, Microsoft Office now has Protected View mode for files downloaded from the internet.
“An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” Microsoft wrote in its advisory for CVE-2024-30040.
The vulnerability is flagged as “exploited” by Microsoft and is also included in the Known Exploited Vulnerabilities catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA).
Third publicly known vulnerability
A third vulnerability for which an exploit is publicly available is CVE-2024-30046. This denial-of-service vulnerability in Visual Studio, which hasn’t been exploited in the wild yet, is rated important. But, according to Microsoft, exploitation is not trivial because it’s dependent on a race condition.
“Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data,” the company wrote in its advisory.
Other flaws notable for fixing
According to researchers from the Zero Day Initiative (ZDI) program at Trend Micro, organizations should also prioritize the fix for a privilege escalation in Windows Search that’s tracked as CVE-2024-30033. This vulnerability was reported via ZDI to Microsoft and has a similar impact to the privilege escalation flaw that’s currently being exploited in the wild, the researchers told CSO via email.
“By creating a pseudo-symlink, an attacker could redirect a delete call to delete a different file or folder as SYSTEM,” the researchers said. “We discussed how this could be used to elevate privileges here.”
Another interesting flaw is CVE-2024-30050, which allows attackers to craft files that would bypass the so-called Mark-of-the-Web (MOTW) flag that Windows automatically assigns to files downloaded from the internet. This mark is an indication for other Windows features or programs to enforce additional protections when users open those files, such as SmartScreen in the browser or Protected View in Microsoft Office.
“While we have no indication this bug is being actively used, we see the technique used often enough to call it out,” the ZDI researchers said. “Bugs like this show why Moderate-rated bugs shouldn’t be ignored or deprioritized.”