Black Arrow Cyber Advisory 15 May 2024 – Microsoft, Adobe, Apple, Mozilla Firefox, Google Chrome, SAP and VMware Updates
Executive summary
Microsoft’s May Patch Tuesday provides updates to address 61 security issues across its product range. Notably, the update tackles two actively exploited zero-day vulnerabilities. The zero-days include a security feature bypass and an elevation of privilege vulnerability. Among the updates provided by Microsoft were 1 critical vulnerability, allowing an attacker remote code execution.
In addition to the Microsoft updates this week also saw Adobe, Apple, Firefox, Google Chrome, SAP and VMware all provide updates for vulnerabilities in a variety of their products, including multiple zero-days and critical vulnerabilities.
What’s the risk to me or my business?
The actively exploited vulnerabilities could allow an unauthenticated attacker to gain code execution as well as elevating to system privileges, the highest available. Both of which compromise the confidentiality, integrity and availability of data stored by an organisation.
What can I do?
Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have an available patch should be updated as soon as possible.
Technical Summary
Microsoft
CVE-2024-30040 – A security feature bypass, in which an unauthenticated attacker can gain code execution through convincing a user to open a malicious document. It is now known how this flaw was abused in attacks.
CVE-2024-30051- A flaw in Windows DWM Core Library which upon exploitation, allows an attacker to elevate to system privileges, the highest available.
Apple
Apple have addressed multiple vulnerabilities in its products, including 16 vulnerabilities on iPhone and iPads. This includes include one vulnerability which the company say “may have been exploited”.
Adobe
Adobe have addressed 37 vulnerabilities in its products, including 9 critical vulnerabilities in Adobe Acrobat and Reader, , 2 critical vulnerabilities in Adobe Commerce, Adobe InDesign, Adobe Experience manager, 1 critical vulnerability in Adobe Media Encoder and Adobe Bridge, 3 critical vulnerabilities in Adobe Illustrator and 2 critical vulnerabilities in Adobe Animate. The company said it was not aware of any exploits in the wild for any of the documented issues.
Firefox
Firefox has upgraded to version 126. The new version addresses 16 unique security issues. None of the vulnerabilities are currently under active exploitation. The release also comes with some quality-of-life changes such as search telemetry changes and copy link without site tracking.
Google Chrome
Google Chrome released an emergency update to fix their 6th zero-day exploited this year, just one week after a previous one. Google are aware that an exploit for the vulnerability exists in the wild. Users are recommended to update as soon as possible.
SAP
This month, SAP has released 17 patches, which include 14 new fixes and 3 updates from previous releases. Two patches and one update have been given the “hot news” priority in SAP, the highest severity. The vulnerabilities encompass a range of issues, including CSS Injection, Remote Code Execution, File Upload flaws, and Cross-Site Scripting (XSS).
VMWare
Multiple security flaws, including one critical vulnerability, have been addressed by VMware after their exploitation was demonstrated at a security event. Some of the vulnerabilities do not have a fix yet and as such, users are advised to disable Bluetooth support and 3D acceleration as temporary workarounds until patches are applied.
More info:
Microsoft
Further details on other specific updates within Microsoft’s May patch Tuesday can be found here:
https://www.ghacks.net/2024/05/14/microsoft-releases-the-may-2024-security-updates-for-windows/
Apple
Further details of the vulnerabilities in Apple can be found here:
https://support.apple.com/en-gb/HT201222
Adobe
Further details of the vulnerabilities in Adobe Acrobat and Reader can be found here:
https://helpx.adobe.com/security/products/acrobat/apsb24-29.html
Further details of the vulnerabilities in Adobe Photoshop can be found here:
https://helpx.adobe.com/security/products/photoshop/apsb24-16.html
Further details of the vulnerabilities in Adobe Commerce can be found here:
https://helpx.adobe.com/uk/security/products/magento/apsb24-18.html
Further details of the vulnerabilities in Adobe InDesign can be found here:
https://helpx.adobe.com/uk/security/products/indesign/apsb24-20.html
Further details of the vulnerabilities in Adobe Experience Manager can be found here:
https://helpx.adobe.com/uk/security/products/experience-manager/apsb24-21.html
Further details of the vulnerabilities in Adobe Media Encoder can be found here:
https://helpx.adobe.com/uk/security/products/media-encoder/apsb24-23.html
Further details of the vulnerabilities in Adobe Bridge can be found here:
https://helpx.adobe.com/uk/security/products/bridge/apsb24-24.html
Further details of the vulnerabilities in Adobe Illustrator can be found here:
https://helpx.adobe.com/uk/security/products/illustrator/apsb24-25.html
Further details of the vulnerabilities in Adobe Animate can be found here:
https://helpx.adobe.com/uk/security/products/animate/apsb24-26.html
Firefox
Further details on the vulnerabilities addressed in the Firefox release can be found here:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/
Google Chrome
Further details on the vulnerabilities addressed in the Google Chrome update can be found here:
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html
SAP
Further details on the vulnerabilities addressed in SAP can be found here:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2024.html
VMware
Further details on the vulnerabilities addressed by VMware can be found here:
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity