Microsoft's May 2023 Patch Tuesday has arrived, and it brings security updates that address three zero-day vulnerabilities and a total of 38 flaws. Among the resolved issues, six vulnerabilities are classified as 'Critical', as they enable remote code execution, which is considered the most severe type of vulnerability. This month's Patch Tuesday is relatively small in terms of resolved vulnerabilities, with only 38 fixed, not including the 11 Microsoft Edge vulnerabilities addressed on May 5th.
The three zero-day vulnerabilities fixed this month include two that were actively exploited in attacks and another that was publicly disclosed. Microsoft defines a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The two actively exploited zero-day vulnerabilities addressed in this update are CVE-2023-29336 and CVE-2023-24932.
CVE-2023-29336 is a Win32k Elevation of Privilege Vulnerability. Microsoft has fixed a privilege elevation vulnerability in the Win32k Kernel driver, which elevates privileges to SYSTEM, the highest user privilege level in Windows. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," states Microsoft's advisory. While Microsoft reports that the bug is actively exploited, there are no details on how it was abused. The vulnerability was discovered by Jan Vojtešek, Milánek, and Luigino Camastra with Avast.
CVE-2023-24932 is a Secure Boot Security Feature Bypass Vulnerability. Microsoft has fixed a Secure Boot bypass flaw that was used by a threat actor to install the BlackLotus UEFI bootkit. "To exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy," according to Microsoft's advisory. UEFI bootkits are malware planted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence. The BlackLotus bootkit has been sold on hacker forums since October 2022 and continues to evolve its features. In March, ESET reported that the developer improved the malware to bypass Secure Boot even on fully patched Windows 11 operating systems. Microsoft released guidance last month on how to detect BlackLotus UEFI bootkit attacks. With this Patch Tuesday, Microsoft fixed the vulnerability used by the bootkit but has not enabled it by default. "The security update addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default," explains Microsoft's advisory. "Additional steps are required at this time to mitigate the vulnerability. Please refer to the following for steps to determine impact on your environment: KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932." This vulnerability is a bypass for the previously fixed CVE-2022-21894.
Microsoft also released a security update for one publicly disclosed zero-day vulnerability that was not actively exploited: CVE-2023-29325, a Windows OLE Remote Code Execution Vulnerability. Microsoft fixed a Windows OLE flaw in Microsoft Outlook that can be exploited using specially crafted emails. "In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim," warns Microsoft's advisory. "Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim's Outlook application displaying a preview of a specially crafted email." "This could result in the attacker executing remote code on the victim's machine." However, an attacker must win a 'race' condition and take additional actions to exploit the flaw successfully. Microsoft suggests that users can mitigate this vulnerability by reading all messages in plain text format. The vulnerability was discovered by Will Dormann of Vuln Labs.
Other vendors who released updates or advisories in May 2023 include: [list omitted]. The complete list of resolved vulnerabilities in the May 2023 Patch Tuesday updates can be found in the full report.