Microsoft Tackles 59 CVEs, Including Exploited Zero-Days, in Massive May Patch Update
May 14, 2024
Microsoft's Patch Tuesday for May 2024 addressed 59 CVEs including three zero-days, with one actively exploited by QakBot operators.
The exploited zero-day, CVE-2024-30051, poses a significant threat to network security.
Another zero-day, CVE-2024-30040, allows attackers to execute arbitrary code via the MSHTML platform.
The third zero-day, CVE-2024-30046, could lead to denial of service in ASP.NET Core.
Critical vulnerability CVE-2024-30043 in Microsoft SharePoint Server enables unauthorized local file access and server-side request forgery.
Other notable bugs include an Elevation of Privilege (EoP) in Windows Search Service and Windows Kernel.
CVE-2024-30050 is a moderate-rated security bypass often exploited by ransomware attacks.
Kaspersky Lab's publication details the discovery of exploits used with QakBot and other malware, but Microsoft has not disclosed attack specifics.
Tech giants Google, Apple, and Adobe have also released security updates for their products.
Cybersecurity experts urge the importance of prompt updates and remaining vigilant against new exploits.
Summary based on 6 sources
Get a daily email with more Tech stories
Sources

Dark Reading • May 14, 2024
Microsoft Windows DWM Zero-Day Poised for Mass Exploit
BleepingComputer • May 14, 2024
Microsoft fixes Windows zero-day exploited in QakBot malware attacks
Krebs on Security • May 14, 2024
Patch Tuesday, May 2024 Edition
SecurityWeek • May 14, 2024
Microsoft Warns of Active Zero-Day Exploitation, Patches 60 Windows Vulnerabilities