The update fixes three zero-day vulnerabilities and resolves the problem with interrupting VPN connections.
Microsoft introduced the May Patch Tuesday update, which includes fixes for 61 vulnerabilities, including 3 zero-day vulnerabilities that were actively exploited or publicly disclosed before the fix.
Of all the patched vulnerabilities, only one was considered critical — a remote code execution vulnerability on a Microsoft SharePoint server. The total number of vulnerabilities by category was distributed as follows:
This extensive list does not include two Microsoft Edge vulnerabilities that were patched on May 2 and four more that were patched on May 10.
Fixing zero-day vulnerabilities
Zero-day is a vulnerability that was publicly disclosed or actively exploited in real attacks before the official patch was released. This time, Microsoft fixed three such vulnerabilities:
In addition to fixing zero-day vulnerabilities, the company finally resolved an issue that caused VPN connections in Windows to stop working after installing the April security updates. These fixes are also included in the latest Patch Tuesday and can be applied simultaneously.
Microsoft has demonstrated a responsible approach by releasing May updates to address critical vulnerabilities in Windows and related products. Timely release of patches, as well as their prompt installation by users, allows you to protect vulnerable devices and minimize any risks of cyber attacks.
Microsoft introduced the May Patch Tuesday update, which includes fixes for 61 vulnerabilities, including 3 zero-day vulnerabilities that were actively exploited or publicly disclosed before the fix.
Of all the patched vulnerabilities, only one was considered critical — a remote code execution vulnerability on a Microsoft SharePoint server. The total number of vulnerabilities by category was distributed as follows:
- 17 privilege escalation vulnerabilities;
- 2 security feature bypass vulnerabilities;
- 27 remote code execution vulnerabilities;
- 7 information disclosure vulnerabilities;
- 3 denial of service vulnerabilities;
- 4 data spoofing vulnerabilities.
This extensive list does not include two Microsoft Edge vulnerabilities that were patched on May 2 and four more that were patched on May 10.
Fixing zero-day vulnerabilities
Zero-day is a vulnerability that was publicly disclosed or actively exploited in real attacks before the official patch was released. This time, Microsoft fixed three such vulnerabilities:
- CVE-2024-30040 (CVSS score 8.8) is a Windows MSHTML platform security bypass vulnerability that allows attackers to execute arbitrary code through vulnerable COM/OLE controls.
- CVE-2024-30051 (CVSS score 7.8) is a privilege escalation vulnerability in the Windows DWM kernel library that allows attackers to gain SYSTEM privileges.
- CVE-2024-30046 (CVSS score 5.9) is a denial-of-service vulnerability in Visual Studio caused by concurrent execution using a shared resource with incorrect synchronization (Race Condition).
In addition to fixing zero-day vulnerabilities, the company finally resolved an issue that caused VPN connections in Windows to stop working after installing the April security updates. These fixes are also included in the latest Patch Tuesday and can be applied simultaneously.
Microsoft has demonstrated a responsible approach by releasing May updates to address critical vulnerabilities in Windows and related products. Timely release of patches, as well as their prompt installation by users, allows you to protect vulnerable devices and minimize any risks of cyber attacks.
