In the latest news regarding cybersecurity, Microsoft has successfully closed two Windows zero-day vulnerabilities that were being actively exploited. This month’s Patch Tuesday saw the resolution of 60 unique new CVEs, along with the republishing of eight CVEs for third-party software that affect Microsoft products. Additionally, two vulnerabilities were publicly disclosed, requiring immediate attention from IT professionals.
The first zero-day vulnerability addressed by Microsoft is an elevation-of-privilege flaw targeting the Windows Dynamic Window Manager (DWM) Core Library in Windows desktop and server systems. This flaw, rated as important with a CVSS score of 7.8, allows an attacker to obtain system privileges on the targeted system without the need for user interaction. The second zero-day vulnerability is a security feature bypass flaw in the Windows MSHTML platform, affecting both desktop and server systems. Rated important with an 8.8 CVSS score, this vulnerability exploits flaws in the Object Linking and Embedding (OLE) technology in Microsoft 365 and Office applications.
Furthermore, Microsoft also addressed a Visual Studio denial-of-service vulnerability, rated important with a CVSS score of 5.9, which requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.
In a separate development, Google recently patched two critical zero-day vulnerabilities in Chrome, which also affect the Microsoft Edge browser due to their shared Chromium code base. Microsoft released out-of-band fixes for Edge and included the Chrome zero-days in its May Patch Tuesday release. This emphasizes the importance of updating all browsers to ensure security, as highlighted by Chris Goettl, vice president of product management for security products at Ivanti.
However, updating browsers can be challenging as they require individual restarts to apply patches, leaving them vulnerable if updates are ignored. Goettl stresses the need for IT professionals to have proper patch management tools to maintain security effectively.
Moreover, a critical vulnerability in SharePoint Server was also addressed by Microsoft, with an assessment of “exploitation more likely” due to its remote-code execution potential. Additionally, patches for development tools like Visual Studio require cooperation between security, IT, and development teams to ensure that vulnerabilities are resolved without breaking essential functionalities.
Overall, the cybersecurity landscape continues to evolve, and IT professionals must remain vigilant in addressing vulnerabilities and implementing necessary security measures to protect their organizations from potential cyber threats.