CVE-2023-29336 – Win32k elevation of privilege vulnerability

Microsoft has fixed an elevation of privilege vulnerability in the Win32k Kernel driver that elevates privileges to SYSTEM, the highest user privilege level in Windows.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft’s advisory reads.

Although Microsoft reports that the bug is being actively exploited, there are no details on how it was abused.

Microsoft says Jan Vojtešek, Milánek and Luigino Camastra with Avast discovered the vulnerability.

CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability

Microsoft has fixed a Secure Boot bypass vulnerability used by a malicious actor to install the BlackLotus UEFI Starter Kit.

“To exploit the vulnerability, an attacker with physical access or administrative rights to a target device could install an affected boot policy,” Microsoft’s advisory reads.

UEFI bootkits are malware implanted into the system firmware and are invisible to security software running in the operating system because the malware loads during the initial phase of the boot sequence.

Since October 2022, a malicious actor has been selling the BlackLotus bootkit on hacker forums and continues to evolve its features. For example, in March, ESET reported that the developer improved the malware to bypass Secure Boot even on fully patched Windows 11 Operating systems.

Microsoft issued guidance last month on how to detect BlackLotus UEFI bootkit attacks. With today’s Patch Tuesday, Microsoft fixed the vulnerability used by the bootkit but did not enable it by default.

“The security update addresses the vulnerability by updating Windows Boot Manager, but is not enabled by default,” Microsoft’s advisory explains.

“Additional steps are currently required to mitigate the vulnerability. Please refer to the following steps to determine the impact to your environment: KB5025885: How to handle Windows Boot Manager revocations for Secure Boot changes related to CVE-2023-24932.”

Microsoft says this vulnerability is a workaround for the previously fixed patch CVE-2022-21894 vulnerability.

CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability

Microsoft has fixed a Windows OLE flaw in Microsoft Outlook that can be exploited using specially crafted emails.

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim,” Microsoft’s advisory warns.

“Exploitation of the vulnerability may involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email.”

“This could cause the attacker to remotely execute code on the victim’s machine.”

However, an attacker must win a “race” condition and take additional steps to successfully exploit the flaw.

Microsoft says users can mitigate this vulnerability by read all messages in plain text format.

Will Dormann of Vuln Labs discovered the vulnerability.