Microsoft Windows DWM Zero-Day Poised for Mass Exploit

/in


A trio of zero-days headline Microsoft’s May Patch Tuesday update, which offers a modest spring bouquet of 59 CVEs in total (just a third of last month’s downpour of patches for admins to deal with). But at least one of the publicly known bugs is poised for mass exploitation, and is indeed already in use by QakBot operators.

This month’s disclosed flaws affect the gamut of the computing kahuna’s portfolio, including Windows, Office, .NET Framework and Visual Studio; Microsoft Dynamics 365; Power BI; DHCP Server; Microsoft Edge (Chromium-based); and Windows Mobile Broadband. Only one of them is considered critical by Microsoft.

It should also be noted that the Chromium-based Edge browser is affected by CVE-2024-4761, a Chrome zero-day under active exploit that Google patched today, a critical sandbox escape bug that should be patched immediately.

Zero-Days Under Active Exploit

Two of the CVEs are listed as under active attack in the wild, while the third is simply already “publicly known at the time of the release.”

Perhaps the most concerning is CVE-2024-30051 (7.2 CVSS), a Windows DWM Core Library elevation of privilege (EoP) vulnerability that allows local attackers already on a network to escalate to system privileges. When chained with a code-execution bug for initial access, it can lead to complete takeover of a target and lateral movement — a common path used by ransomware actors.

And indeed, Kaspersky researchers noted in a tandem blog today that multiple threat actors appear to have access to the exploit, which started circulating in April. Since then, adversaries using the popular QakBot initial-access Trojan in particular have co-opted the bug, they said. QakBot is an oft-seen partner in ransomware attacks.

“The speed with which threat actors are integrating this exploit into their arsenal underscores the importance of timely updates and vigilance in cybersecurity,” said Boris Larin, principal security researcher at Kaspersky GReAT, in Kaspersky’s blog.

Dustin Childs, head of threat initiative at Trend Micro’s Zero Day Initiative (ZDI), says the exploitation could soon snowball, so prioritizing this one is a must.

“Microsoft doesn’t provide any indication of the volume of…

Source…