Microsoft’s May Patch Tuesday Fixes 38 Weaknesses, Including the Active Zero-Day Bug
Microsoft has launched Patched Tuesday update for May 2023 to address 38 security flaws, including one zero-day bug it says is being actively exploited in the wild.
Zero Day Initiative (ZDI) from Trend Micro said the volume was the lowest since August 2021, although it stated that “these numbers are expected to increase in the coming months.”
Of the 38 vulnerabilities, six were rated Critical and 32 were rated Important in severity. Eight of the flaws have been marked with a “More Likely Exploit” rating by Microsoft.
This aside 18 flaws – including 11 bugs since early May – Windows builder resolved on Chromium-based Edge browser following release of April Patch Tuesday update.
Topping the list is CVE-2023-29336 (CVSS score: 7.8), a privilege escalation flaw in Win32k that has been actively exploited. It is not yet clear how widespread the attack was.
“An attacker who successfully exploits this vulnerability may gain SYSTEM privileges,” Microsoft said, commending Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra for reporting the flaw.
Such developments have prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to implement vendor fixes by May 30, 2023.
Also of note are two publicly known vulnerabilities, one of which is a critical remote code execution flaw impacting Windows OLE (CVE-2023-29325CVSS score: 8.1) which the perpetrator can weaponize by sending a specially crafted email to the victim.
Microsoft, as a mitigation, recommends that users read email messages in plain text format to protect against this vulnerability.
The second publicly known vulnerability is CVE-2023-24932 (CVSS Score: 6.7), a bypassed Secure Boot security feature that the BlackLotus UEFI bootkit armed to exploit CVE-2022-21894 (aka Baton Drop), which was finalized in January 2022.
“This vulnerability allowed an attacker to execute self-signed code in the Unified Extensible Firmware Interface (UEFI) when Secure Boot is enabled,” Microsoft said in a separate guide.
“It is used by threat actors primarily as a defense and persistence evasion mechanism. A successful exploit depends on the attacker having physical access or local admin privileges on the targeted device.”
It should be noted that the fix shipped by Microsoft is disabled by default and requires the customer to manually apply revocation, but not before updating all bootable media.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
“Once a mitigation for this issue is enabled on a device, it means that a revocation has been applied, it is irreversible if you continue to use Secure Boot on that device,” Microsoft be warned. “Even reformatting the disk will not remove the revocation if it has already been applied.”
The tech giant said it was taking a phased approach to completely stop attack vectors to avoid the risk of unwanted interference, an exercise expected to last through the first quarter of 2024.
“Modern UEFI-based Secure Boot Schemes are extremely complex to configure properly and/or to significantly reduce their attack surface,” firmware security firm Binarly noted early this March. “Having said that, bootloader attacks are unlikely to go away any time soon.”
Software Patches from Other Vendors
Apart from Microsoft, security updates have also been released by other vendors over the past few weeks to fix several vulnerabilities, including —
