Virtual Administrator’s May Patch Recommendations
This month Microsoft released patches for 59 vulnerabilities with 1 rated “Critical” in severity.
All new patches will be approved in our patch policy.
With 59 CVEs May is a much lighter month than April. CVE-2024-30044 is the only Critical vulnerability and is a Remote Code Execution (RCE) in SharePoint Server. Actively exploited CVE-2024-30051 is an Elevation of Privilege (EoP) vulnerability Windows DWM Core Library. Also being exploited is CVE-2024-30040. This is a security feature bypass in MSHTML that can evade OLE mitigations implemented in Microsoft 365 and Microsoft Office. CVE-2024-30046 is a publicly disclosed Denial of Service (DoS) flaw in Microsoft Visual Studio. Some administrators are seeing failures installing the Windows Server 2019 CU KB5037765 – see “New Known Issues” below. Microsoft also fixed a couple late breaking issues with April’s updates – see “Known Issues Fixed” below.
Disclosed: CVE-2024-30046, CVE-2024-30051
Exploited: CVE-2024-30040, CVE-2024-30051
Known Issues Fixed
VPN connections might fail after installing the April 2024 security update
https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022
Windows devices might face VPN connection failures after installing the April 2024 security update or the April 2024 non-security preview update.
Resolution: This issue was resolved by Windows updates released May 14, 2024 , and later. We recommend you install the latest security update for your device. It contains important improvements and issue resolutions, including this one.
Affected platforms: Windows 10/11, Windows Server
NTLM traffic issue after installing the April 2024 security update
https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022
After installing the April 2024 security update on domain controllers (DCs), you might notice a significant increase in NTLM authentication traffic. This issue is more likely to affect Active Directory (AD) deployments already servicing a large number of NTLM authentication requests where a small number of Primary Domain Controllers (PDCs) are supporting a large number of read-write Backup Domain Controllers (DCs) and Read Only Domain Controllers (RODCs).
Note: In rare instances, Windows Servers running the Domain Controller (DC) role might experience Local Security Authority Subsystem Service (LSASS) crashes resulting in a reboot.
Resolution: This issue was resolved by Windows updates released May 14, 2024, and later. We recommend you install the latest security update for your device. It contains important improvements and issue resolutions, including this one.
Affected platforms: Windows 10/11, Windows Server
FYI – On April 30th Microsoft confessed they won’t fix KB5034439/KB5034440/KB5034441 for Windows 10/11/Server 2022 after all.
https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#3231msgdesc
Resolution: Automatic resolution of this issue won’t be available in a future Windows update. Manual steps are necessary to complete the installation of this update on devices which are experiencing this error.
Security Update Guide
https://msrc.microsoft.com/update-guide/en-us
Microsoft Security Advisories – None
New Known Issues
- Trouble changing user account profile picture. Installation failures with KB5037765 which seems to affect Windows Server 2019 systems that do not have en-us language pack support installed.
- Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/
May be unable to change your user account profile picture.
Affected Platforms: Windows 10/11, Windows Server 2022
Symptom: After installing this update, you might be unable to change your user account profile picture.
When attempting to change a profile picture by selecting the button Start> Settings > Account > Your info and, under Create your picture, clicking on Browse for one, you might receive an error message with error code 0x80070520.
Status: We are working on a resolution and will provide an update in an upcoming release.
Windows Server 2019 CU KB5037765 may fail with error code 0x800f0982
Affected platforms: Windows Server 2019
Symptom: Windows servers attempting to install the May 2024 security update (KB5037765), released May 14, 2024, might face issues during the installation process. The installation might fail with an error code 0x800f0982. This issue is more likely to affect devices that do not have en_us language pack support.
Status: We are working on a resolution and will provide an update in an upcoming release.
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5037823 – Windows Server 2012 R2 (ESU)
- KB5037778 – Windows Server 2012 (ESU)
Security Only Update
- None – Windows Server 2012 R2 (ESU)
- None – Windows Server 2012 (ESU)
Cumulative Updates
Windows 10
- KB5037788 – Original release version 1507 (OS Build 10240)
- KB5037763 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5037765 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5037768 – Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5037768 – Version 22H2 “November 2022 Update” (OS Build 19045)
(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)
Windows 11
- KB5037770 – 21H2 (OS Build 22000) Original release
- KB5037771 – 22H2 (OS Build 22621)
- KB5037771 – 23H2 (OS Build 22631)
Windows Server
- KB5037763 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5037765 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5037782 – Server 2022 (OS Build 20348)
- KB5037781 – Server 23H2 (OS Build 25398)
May 2024 updates for Microsoft Office
Notable CVEs
CVE-2024-30040 | Windows MSHTML Platform Security Feature Bypass Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30040
An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file. An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user.
CVE-2024-30044 | Microsoft SharePoint Server Remote Code Execution Vulnerability (5002596,5002599)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30044
An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted Sharepoint Server and craft specialized API requests to trigger deserialization of file’s parameters. This would enable the attacker to perform remote code execution in the context of the Sharepoint Server. An authenticated attacker with Site Owner permission can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.
CVE-2024-30046 | Visual Studio Denial of Service Vulnerability (5038351,5038352,Visual Studio 2022 version 17.9.7)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30046
Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.
CVE-2024-30051 | Windows DWM Core Library Elevation of Privilege Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30051
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
