Leading up May’s Patch Tuesday, we have a pair of zero-day vulnerabilities in Google Chrome and Microsoft Edge as well as a zero-day in macOS. Microsoft has also included a pair of zero-day vulnerabilities in their update, adding to a total of 61 CVEs resolved. Mozilla and Adobe are adding the lineup of third-party updates releasing today.

Microsoft Patch Tuesday Updates

Microsoft resolved an Elevation of Privilege vulnerability in Windows DWM Core Library (CVE-2024-30051) which has been confirmed to be exploited. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system. The vulnerability affects the Windows OS and is rated Important by Microsoft, with a CVSS 3.1 score of 7.8. Given the detection of known exploits, a risk-based prioritization approach would put the OS update this month as a top priority.

Microsoft has resolved a Security Feature Bypass vulnerability in Windows MSHTML (CVE-2024-30040) that has been confirmed to be exploited. An attacker could bypass OLE mitigations in Microsoft 365 and Microsoft Office and target a user through an email or instant message to exploit the vulnerability. The vulnerability affects the Windows OS and is rated Important by Microsoft, with a CVSS 3.1 score of 8.8. Given the detection of known exploits, a risk-based prioritization approach would put the OS update this month as a top priority.

Third-Party Patch Tuesday Updates

Google has resolved a pair of zero-day vulnerabilities that affect both Google Chrome and Microsoft Edge. On Thursday, May 9, Google resolved CVE-2024-4671, which released in an Microsoft Edge update on May 10. On Monday, May 13, Google Resolved CVE-2024-4761, and the Microsoft Edge update today resolves the second zero-day. This pair makes six zero-days so far this year for Google Chrome and Microsoft Edge (Chromium). Yesterday’s release also makes six Google Chrome releases since April Patch Tuesday.

Mozilla Firefox and Firefox ESR were updated for May Patch Tuesday, meaning all your major browsers need an update this month, resolving 16 CVEs. Firefox had three releases since April Patch Tuesday.

Adobe has released updates for Acrobat Reader resolving 12 CVES, nine of which are critical. Updates for Illustrator, Substance 3D, Aero, Animate, FrameMaker and Dreamweaver have also been released. 

Patch Tuesday Priority Guidance

• Update all browsers as soon as possible. Two zero-days in Chrome and Edge and 16 CVEs in Firefox mean you will resolve a lot of risk quickly by doing so.
• Windows OS has two zero-day vulnerabilities in the May Patch Tuesday update and should be a high priority this month.
• macOS resolved a zero-day vulnerability in the May 13 release, so ensure your macOS updates are a high priority this month.