Today is Microsoft’s May 2023 Patch Tuesday, and security updates fix three zero-day vulnerabilities and a total of 38 flaws.
Six vulnerabilities are classified as ‘Critical’ as they allow remote code execution, the most severe type of vulnerability.
The number of bugs in each vulnerability category is listed below:
- 8 Elevation of Privilege Vulnerabilities
- 4 Security Feature Bypass Vulnerabilities
- 12 Remote Code Execution Vulnerabilities
- 8 Information Disclosure Vulnerabilities
- 5 Denial of Service Vulnerabilities
- 1 Spoofing Vulnerability
Today’s Patch Tuesday is one of the smallest in terms of resolved vulnerabilities, with only thirty-eight vulnerabilities fixed, not including eleven Microsoft Edge vulnerabilities fixed last week, on May 5th.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5026372 cumulative update and Windows 10 KB5026361 and KB5026362 updates.
Three zero-days fixed
This month’s Patch Tuesday fixes three zero-day vulnerabilities, with two exploited in attacks and another publicly disclosed.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.
The two actively exploited zero-day vulnerabilities in today’s updates are:
CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability
Microsoft has fixed a privilege elevation vulnerability in the Win32k Kernel driver that elevates privileges to SYSTEM, Windows’ highest user privilege level.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” reads Microsoft’s advisory.
While Microsoft reports that the bug is actively exploited, there are no details on how it was abused.
Microsoft says that Jan Vojtešek, Milánek, and Luigino Camastra with Avast discovered the vulnerability.
CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability
Microsoft has fixed a Secure Boot bypass flaw used by a threat actor to install the BlackLotus UEFI bootkit.
“To exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy,” reads Microsoft’s advisory.
UEFI bootkits are malware planted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence.
Since October 2022, a threat actor has been selling the BlackLotus bootkit on hacker forums and continues to evolve its features. For example, in March, ESET reported that the developed improved the malware to bypass Secure Boot even on fully patched Windows 11 operating systems.
Microsoft released guidance last month on how to detect BlackLotus UEFI bootkit attacks. With today’s Patch Tuesday, Microsoft fixed the vulnerability used by the bootkit but has not enabled it by default.
“The security update addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default,” explains Microsoft’s advisory.
“Additional steps are required at this time to mitigate the vulnerability. Please refer to the following for steps to determine impact on your environment: KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.”
Microsoft says this vulnerability is a bypass for the previously fixed CVE-2022-21894 vulnerability.
Microsoft has also released security update for one publicly disclosed zero-day vulnerabilities that was not actively exploited.
CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability
Microsoft has fixed a Windows OLE flaw in Microsoft Outlook that can be exploited using specially crafted emails.
“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim,” warns Microsoft’s advisory.
“Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email.”
“This could result in the attacker executing remote code on the victim’s machine.”
However, an attacker must win a ‘race’ condition and take additional actions to exploit the flaw successfully.
Microsoft says that users can mitigate this vulnerability by reading all messages in plain text format.
Will Dormann of Vuln Labs discovered the vulnerability.
Recent updates from other companies
Other vendors who released updates or advisories in May 2023 include:
The May 2023 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the May 2023 Patch Tuesday updates.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| Microsoft Bluetooth Driver | CVE-2023-24947 | Windows Bluetooth Driver Remote Code Execution Vulnerability | Important |
| Microsoft Bluetooth Driver | CVE-2023-24948 | Windows Bluetooth Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Bluetooth Driver | CVE-2023-24944 | Windows Bluetooth Driver Information Disclosure Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2023-29354 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | Moderate |
| Microsoft Edge (Chromium-based) | CVE-2023-2468 | Chromium: CVE-2023-2468 Inappropriate implementation in PictureInPicture | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-2459 | Chromium: CVE-2023-2459 Inappropriate implementation in Prompts | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-29350 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2023-2467 | Chromium: CVE-2023-2467 Inappropriate implementation in Prompts | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-2463 | Chromium: CVE-2023-2463 Inappropriate implementation in Full Screen Mode | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-2462 | Chromium: CVE-2023-2462 Inappropriate implementation in Prompts | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-2460 | Chromium: CVE-2023-2460 Insufficient validation of untrusted input in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-2465 | Chromium: CVE-2023-2465 Inappropriate implementation in CORS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-2466 | Chromium: CVE-2023-2466 Inappropriate implementation in Prompts | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-2464 | Chromium: CVE-2023-2464 Inappropriate implementation in PictureInPicture | Unknown |
| Microsoft Graphics Component | CVE-2023-24899 | Windows Graphics Component Elevation of Privilege Vulnerability | Important |
| Microsoft Office | CVE-2023-29344 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office Access | CVE-2023-29333 | Microsoft Access Denial of Service Vulnerability | Important |
| Microsoft Office Excel | CVE-2023-24953 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2023-24955 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2023-24954 | Microsoft SharePoint Server Information Disclosure Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2023-24950 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office Word | CVE-2023-29335 | Microsoft Word Security Feature Bypass Vulnerability | Important |
| Microsoft Teams | CVE-2023-24881 | Microsoft Teams Information Disclosure Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2023-29340 | AV1 Video Extension Remote Code Execution Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2023-29341 | AV1 Video Extension Remote Code Execution Vulnerability | Important |
| Remote Desktop Client | CVE-2023-24905 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
| SysInternals | CVE-2023-29343 | SysInternals Sysmon for Windows Elevation of Privilege Vulnerability | Important |
| Visual Studio Code | CVE-2023-29338 | Visual Studio Code Information Disclosure Vulnerability | Important |
| Windows Backup Engine | CVE-2023-24946 | Windows Backup Service Elevation of Privilege Vulnerability | Important |
| Windows Installer | CVE-2023-24904 | Windows Installer Elevation of Privilege Vulnerability | Important |
| Windows iSCSI Target Service | CVE-2023-24945 | Windows iSCSI Target Service Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2023-24949 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows LDAP – Lightweight Directory Access Protocol | CVE-2023-28283 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Critical |
| Windows MSHTML Platform | CVE-2023-29324 | Windows MSHTML Platform Security Feature Bypass Vulnerability | Important |
| Windows Network File System | CVE-2023-24941 | Windows Network File System Remote Code Execution Vulnerability | Critical |
| Windows NFS Portmapper | CVE-2023-24901 | Windows NFS Portmapper Information Disclosure Vulnerability | Important |
| Windows NFS Portmapper | CVE-2023-24939 | Server for NFS Denial of Service Vulnerability | Important |
| Windows NTLM | CVE-2023-24900 | Windows NTLM Security Support Provider Information Disclosure Vulnerability | Important |
| Windows OLE | CVE-2023-29325 | Windows OLE Remote Code Execution Vulnerability | Critical |
| Windows PGM | CVE-2023-24940 | Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability | Important |
| Windows PGM | CVE-2023-24943 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical |
| Windows RDP Client | CVE-2023-28290 | Microsoft Remote Desktop app for Windows Information Disclosure Vulnerability | Important |
| Windows Remote Procedure Call Runtime | CVE-2023-24942 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Secure Boot | CVE-2023-28251 | Windows Driver Revocation List Security Feature Bypass Vulnerability | Important |
| Windows Secure Boot | CVE-2023-24932 | Secure Boot Security Feature Bypass Vulnerability | Important |
| Windows Secure Socket Tunneling Protocol (SSTP) | CVE-2023-24903 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | Critical |
| Windows SMB | CVE-2023-24898 | Windows SMB Denial of Service Vulnerability | Important |
| Windows Win32K | CVE-2023-29336 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2023-24902 | Win32k Elevation of Privilege Vulnerability | Important |