Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws


Today is Microsoft’s May 2023 Patch Tuesday, and security updates fix three zero-day vulnerabilities and a total of 38 flaws.

Six vulnerabilities are classified as ‘Critical’ as they allow remote code execution, the most severe type of vulnerability.

The number of bugs in each vulnerability category is listed below:

  • 8 Elevation of Privilege Vulnerabilities
  • 4 Security Feature Bypass Vulnerabilities
  • 12 Remote Code Execution Vulnerabilities
  • 8 Information Disclosure Vulnerabilities
  • 5 Denial of Service Vulnerabilities
  • 1 Spoofing Vulnerability

Today’s Patch Tuesday is one of the smallest in terms of resolved vulnerabilities, with only thirty-eight vulnerabilities fixed, not including eleven Microsoft Edge vulnerabilities fixed last week, on May 5th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5026372 cumulative update and Windows 10 KB5026361 and KB5026362 updates.

Three zero-days fixed

This month’s Patch Tuesday fixes three zero-day vulnerabilities, with two exploited in attacks and another publicly disclosed.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The two actively exploited zero-day vulnerabilities in today’s updates are:

CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability

Microsoft has fixed a privilege elevation vulnerability in the Win32k Kernel driver that elevates privileges to SYSTEM, Windows’ highest user privilege level.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” reads Microsoft’s advisory.

While Microsoft reports that the bug is actively exploited, there are no details on how it was abused.

Microsoft says that Jan Vojtešek, Milánek, and Luigino Camastra with Avast discovered the vulnerability.

CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability

Microsoft has fixed a Secure Boot bypass flaw used by a threat actor to install the BlackLotus UEFI bootkit.

“To exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy,” reads Microsoft’s advisory.

UEFI bootkits are malware planted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence.

Since October 2022, a threat actor has been selling the BlackLotus bootkit on hacker forums and continues to evolve its features. For example, in March, ESET reported that the developed improved the malware to bypass Secure Boot even on fully patched Windows 11 operating systems.

Microsoft released guidance last month on how to detect BlackLotus UEFI bootkit attacks. With today’s Patch Tuesday, Microsoft fixed the vulnerability used by the bootkit but has not enabled it by default.

“The security update addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default,” explains Microsoft’s advisory.

“Additional steps are required at this time to mitigate the vulnerability. Please refer to the following for steps to determine impact on your environment: KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.”

Microsoft says this vulnerability is a bypass for the previously fixed CVE-2022-21894 vulnerability.

Microsoft has also released security update for one publicly disclosed zero-day vulnerabilities that was not actively exploited.

CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability

Microsoft has fixed a Windows OLE flaw in Microsoft Outlook that can be exploited using specially crafted emails.

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim,” warns Microsoft’s advisory.

“Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email.”

“This could result in the attacker executing remote code on the victim’s machine.”

However, an attacker must win a ‘race’ condition and take additional actions to exploit the flaw successfully.

Microsoft says that users can mitigate this vulnerability by reading all messages in plain text format.

Will Dormann of Vuln Labs discovered the vulnerability.

Recent updates from other companies

Other vendors who released updates or advisories in May 2023 include:

The May 2023 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the May 2023 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Tag CVE ID CVE Title Severity
Microsoft Bluetooth Driver CVE-2023-24947 Windows Bluetooth Driver Remote Code Execution Vulnerability Important
Microsoft Bluetooth Driver CVE-2023-24948 Windows Bluetooth Driver Elevation of Privilege Vulnerability Important
Microsoft Bluetooth Driver CVE-2023-24944 Windows Bluetooth Driver Information Disclosure Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2023-29354 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Moderate
Microsoft Edge (Chromium-based) CVE-2023-2468 Chromium: CVE-2023-2468 Inappropriate implementation in PictureInPicture Unknown
Microsoft Edge (Chromium-based) CVE-2023-2459 Chromium: CVE-2023-2459 Inappropriate implementation in Prompts Unknown
Microsoft Edge (Chromium-based) CVE-2023-29350 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2023-2467 Chromium: CVE-2023-2467 Inappropriate implementation in Prompts Unknown
Microsoft Edge (Chromium-based) CVE-2023-2463 Chromium: CVE-2023-2463 Inappropriate implementation in Full Screen Mode Unknown
Microsoft Edge (Chromium-based) CVE-2023-2462 Chromium: CVE-2023-2462 Inappropriate implementation in Prompts Unknown
Microsoft Edge (Chromium-based) CVE-2023-2460 Chromium: CVE-2023-2460 Insufficient validation of untrusted input in Extensions Unknown
Microsoft Edge (Chromium-based) CVE-2023-2465 Chromium: CVE-2023-2465 Inappropriate implementation in CORS Unknown
Microsoft Edge (Chromium-based) CVE-2023-2466 Chromium: CVE-2023-2466 Inappropriate implementation in Prompts Unknown
Microsoft Edge (Chromium-based) CVE-2023-2464 Chromium: CVE-2023-2464 Inappropriate implementation in PictureInPicture Unknown
Microsoft Graphics Component CVE-2023-24899 Windows Graphics Component Elevation of Privilege Vulnerability Important
Microsoft Office CVE-2023-29344 Microsoft Office Remote Code Execution Vulnerability Important
Microsoft Office Access CVE-2023-29333 Microsoft Access Denial of Service Vulnerability Important
Microsoft Office Excel CVE-2023-24953 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office SharePoint CVE-2023-24955 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical
Microsoft Office SharePoint CVE-2023-24954 Microsoft SharePoint Server Information Disclosure Vulnerability Important
Microsoft Office SharePoint CVE-2023-24950 Microsoft SharePoint Server Spoofing Vulnerability Important
Microsoft Office Word CVE-2023-29335 Microsoft Word Security Feature Bypass Vulnerability Important
Microsoft Teams CVE-2023-24881 Microsoft Teams Information Disclosure Vulnerability Important
Microsoft Windows Codecs Library CVE-2023-29340 AV1 Video Extension Remote Code Execution Vulnerability Important
Microsoft Windows Codecs Library CVE-2023-29341 AV1 Video Extension Remote Code Execution Vulnerability Important
Remote Desktop Client CVE-2023-24905 Remote Desktop Client Remote Code Execution Vulnerability Important
SysInternals CVE-2023-29343 SysInternals Sysmon for Windows Elevation of Privilege Vulnerability Important
Visual Studio Code CVE-2023-29338 Visual Studio Code Information Disclosure Vulnerability Important
Windows Backup Engine CVE-2023-24946 Windows Backup Service Elevation of Privilege Vulnerability Important
Windows Installer CVE-2023-24904 Windows Installer Elevation of Privilege Vulnerability Important
Windows iSCSI Target Service CVE-2023-24945 Windows iSCSI Target Service Information Disclosure Vulnerability Important
Windows Kernel CVE-2023-24949 Windows Kernel Elevation of Privilege Vulnerability Important
Windows LDAP – Lightweight Directory Access Protocol CVE-2023-28283 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Critical
Windows MSHTML Platform CVE-2023-29324 Windows MSHTML Platform Security Feature Bypass Vulnerability Important
Windows Network File System CVE-2023-24941 Windows Network File System Remote Code Execution Vulnerability Critical
Windows NFS Portmapper CVE-2023-24901 Windows NFS Portmapper Information Disclosure Vulnerability Important
Windows NFS Portmapper CVE-2023-24939 Server for NFS Denial of Service Vulnerability Important
Windows NTLM CVE-2023-24900 Windows NTLM Security Support Provider Information Disclosure Vulnerability Important
Windows OLE CVE-2023-29325 Windows OLE Remote Code Execution Vulnerability Critical
Windows PGM CVE-2023-24940 Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability Important
Windows PGM CVE-2023-24943 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical
Windows RDP Client CVE-2023-28290 Microsoft Remote Desktop app for Windows Information Disclosure Vulnerability Important
Windows Remote Procedure Call Runtime CVE-2023-24942 Remote Procedure Call Runtime Denial of Service Vulnerability Important
Windows Secure Boot CVE-2023-28251 Windows Driver Revocation List Security Feature Bypass Vulnerability Important
Windows Secure Boot CVE-2023-24932 Secure Boot Security Feature Bypass Vulnerability Important
Windows Secure Socket Tunneling Protocol (SSTP) CVE-2023-24903 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical
Windows SMB CVE-2023-24898 Windows SMB Denial of Service Vulnerability Important
Windows Win32K CVE-2023-29336 Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2023-24902 Win32k Elevation of Privilege Vulnerability Important



Source link