Today is Microsoft’s May 2023 Patch Tuesday, and the security updates fix three zero-day vulnerabilities and a total of 38 flaws.
Six vulnerabilities are classified as “critical” because they allow remote code execution, the most severe type of vulnerability.
The number of bugs in each vulnerability category is listed below:
- 8 Elevation of Privilege Vulnerabilities
- 4 Security Feature Bypass Vulnerabilities
- 12 Remote Code Execution Vulnerabilities
- 8 Information Disclosure Vulnerabilities
- 5 Denial of service vulnerabilities
- 1 Spoofing Vulnerability
Today’s Patch Tuesday is one of the smallest in terms of vulnerabilities addressed, with only thirty-eight vulnerabilities fixed, not counting eleven Microsoft Edge vulnerabilities patched last week, May 5.
Three days zero fixed
This month’s Patch Tuesday fixes three zero-day vulnerabilities, two of which are exploited in attacks and one publicly disclosed.
Microsoft classifies a vulnerability as zero-day if it is publicly disclosed or actively exploited with no official patch available.
The two actively exploited zero-day vulnerabilities in today’s updates are:
CVE-2023-29336 – Win32k elevation of privilege vulnerability
Microsoft has fixed an elevation of privilege vulnerability in the Win32k Kernel driver that elevates privileges to SYSTEM, the highest user privilege level in Windows.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft’s advisory reads.
Although Microsoft reports that the bug is being actively exploited, there are no details on how it was abused.
Microsoft says Jan Vojtešek, Milánek and Luigino Camastra with Avast discovered the vulnerability.
CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability
Microsoft has fixed a Secure Boot bypass vulnerability used by a malicious actor to install the BlackLotus UEFI Starter Kit.
“To exploit the vulnerability, an attacker with physical access or administrative rights to a target device could install an affected boot policy,” Microsoft’s advisory reads.
UEFI bootkits are malware implanted into the system firmware and are invisible to security software running in the operating system because the malware loads during the initial phase of the boot sequence.
Since October 2022, a malicious actor has been selling the BlackLotus bootkit on hacker forums and continues to evolve its features. For example, in March, ESET reported that the developer improved the malware to bypass Secure Boot even on fully patched Windows 11 Operating systems.
Microsoft issued guidance last month on how to detect BlackLotus UEFI bootkit attacks. With today’s Patch Tuesday, Microsoft fixed the vulnerability used by the bootkit but did not enable it by default.
“The security update addresses the vulnerability by updating Windows Boot Manager, but is not enabled by default,” Microsoft’s advisory explains.
“Additional steps are currently required to mitigate the vulnerability. Please refer to the following steps to determine the impact to your environment: KB5025885: How to handle Windows Boot Manager revocations for Secure Boot changes related to CVE-2023-24932.”
Microsoft says this vulnerability is a workaround for the previously fixed patch CVE-2022-21894 vulnerability.
Microsoft also released a security update for a publicly disclosed zero-day vulnerability that has not been actively exploited.
CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability
Microsoft has fixed a Windows OLE flaw in Microsoft Outlook that can be exploited using specially crafted emails.
“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim,” Microsoft’s advisory warns.
“Exploitation of the vulnerability may involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email.”
“This could cause the attacker to remotely execute code on the victim’s machine.”
However, an attacker must win a “race” condition and take additional steps to successfully exploit the flaw.
Microsoft says users can mitigate this vulnerability by read all messages in plain text format.
Will Dormann of Vuln Labs discovered the vulnerability.
Recent updates from other companies
Other vendors that released updates or advisories in May 2023 include:
May 2023 Patch Tuesday Security Updates
Below is the full list of vulnerabilities addressed in the May 2023 Patch Tuesday updates.
To access the complete description of each vulnerability and the systems it affects, you can consult the full report here.
|Microsoft Bluetooth Driver||CVE-2023-24947||Windows Bluetooth Driver Remote Code Execution Vulnerability||Important|
|Microsoft Bluetooth Driver||CVE-2023-24948||Windows Bluetooth Driver Elevation of Privilege Vulnerability||Important|
|Microsoft Bluetooth Driver||CVE-2023-24944||Windows Bluetooth Driver Information Disclosure Vulnerability||Important|
|Microsoft Edge (Chromium-based)||CVE-2023-29354||Microsoft Edge Security Feature Bypass Vulnerability (Chromium-based)||Moderate|
|Microsoft Edge (Chromium-based)||CVE-2023-2468||Chromium: CVE-2023-2468 Improper implementation in PictureInPicture||Unknown|
|Microsoft Edge (Chromium-based)||CVE-2023-2459||Chromium: CVE-2023-2459 Inappropriate implementation in prompts||Unknown|
|Microsoft Edge (Chromium-based)||CVE-2023-29350||Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability||Important|
|Microsoft Edge (Chromium-based)||CVE-2023-2467||Chromium: CVE-2023-2467 Inappropriate implementation in prompts||Unknown|
|Microsoft Edge (Chromium-based)||CVE-2023-2463||Chromium: CVE-2023-2463 Improper implementation in fullscreen mode||Unknown|
|Microsoft Edge (Chromium-based)||CVE-2023-2462||Chromium: CVE-2023-2462 Inappropriate implementation in prompts||Unknown|
|Microsoft Edge (Chromium-based)||CVE-2023-2460||Chromium: CVE-2023-2460 Insufficient validation of untrusted entries in extensions||Unknown|
|Microsoft Edge (Chromium-based)||CVE-2023-2465||Chromium: CVE-2023-2465 Improper implementation in CORS||Unknown|
|Microsoft Edge (Chromium-based)||CVE-2023-2466||Chromium: CVE-2023-2466 Inappropriate implementation in prompts||Unknown|
|Microsoft Edge (Chromium-based)||CVE-2023-2464||Chromium: CVE-2023-2464 Inappropriate implementation in PictureInPicture||Unknown|
|Microsoft Graphics Component||CVE-2023-24899||Windows Graphics Component Elevation of Privilege Vulnerability||Important|
|Microsoft Office||CVE-2023-29344||Microsoft Office Remote Code Execution Vulnerability||Important|
|Microsoft Office access||CVE-2023-29333||Microsoft Access Denial of Service Vulnerability||Important|
|Microsoft Office Excel||CVE-2023-24953||Microsoft Excel Remote Code Execution Vulnerability||Important|
|Microsoft Office SharePoint||CVE-2023-24955||Microsoft SharePoint Server Remote Code Execution Vulnerability||Critical|
|Microsoft Office SharePoint||CVE-2023-24954||Microsoft SharePoint Server Information Disclosure Vulnerability||Important|
|Microsoft Office SharePoint||CVE-2023-24950||Microsoft SharePoint Server Spoofing Vulnerability||Important|
|Microsoft Office Word||CVE-2023-29335||Microsoft Word Security Feature Bypass Vulnerability||Important|
|Microsoft Teams||CVE-2023-24881||Microsoft Teams Information Disclosure Vulnerability||Important|
|Microsoft Windows Codec Library||CVE-2023-29340||AV1 Video Extension Remote Code Execution Vulnerability||Important|
|Microsoft Windows Codec Library||CVE-2023-29341||AV1 Video Extension Remote Code Execution Vulnerability||Important|
|Remote Desktop Client||CVE-2023-24905||Remote Desktop Client Remote Code Execution Vulnerability||Important|
|InternalSys||CVE-2023-29343||SysInternals Sysmon for Windows Elevation of Privilege Vulnerability||Important|
|Visual Studio Code||CVE-2023-29338||Visual Studio Code Information Disclosure Vulnerability||Important|
|Windows Backup Engine||CVE-2023-24946||Windows Backup Service Elevation of Privilege Vulnerability||Important|
|Windows installer||CVE-2023-24904||Windows Installer Elevation of Privilege Vulnerability||Important|
|Windows iSCSI Target Service||CVE-2023-24945||Windows iSCSI Target Service Information Disclosure Vulnerability||Important|
|windows kernel||CVE-2023-24949||Windows Kernel Elevation of Privilege Vulnerability||Important|
|Windows LDAP – Lightweight Directory Access Protocol||CVE-2023-28283||Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability||Critical|
|MSHTML Windows Platform||CVE-2023-29324||MSHTML Windows Platform Security Feature Bypass Vulnerability||Important|
|Windows Network File System||CVE-2023-24941||Windows Network File System Remote Code Execution Vulnerability||Critical|
|Windows NFS Port Mapper||CVE-2023-24901||Windows NFS Portmapper Information Disclosure Vulnerability||Important|
|Windows NFS Port Mapper||CVE-2023-24939||Server for NFS denial of service vulnerability||Important|
|WindowsNTLM||CVE-2023-24900||Windows NTLM Security Support Provider Information Disclosure Vulnerability||Important|
|Windows OLE||CVE-2023-29325||Windows OLE Remote Code Execution Vulnerability||Critical|
|Windows PGMs||CVE-2023-24940||Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability||Important|
|Windows PGMs||CVE-2023-24943||Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability||Critical|
|Windows RDP client||CVE-2023-28290||Microsoft Remote Desktop Application Information Disclosure Vulnerability for Windows||Important|
|Windows Remote Procedure Call Execution||CVE-2023-24942||Denial of Service Vulnerability When Executing Remote Procedure Calls||Important|
|Windows Secure Boot||CVE-2023-28251||Windows Driver Revocation List Security Feature Bypass Vulnerability||Important|
|Windows Secure Boot||CVE-2023-24932||Secure Boot Security Feature Bypass Vulnerability||Important|
|Windows Secure Socket Tunneling Protocol (SSTP)||CVE-2023-24903||Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability||Critical|
|SMB Windows||CVE-2023-24898||Windows SMB Denial of Service Vulnerability||Important|
|Windows Win32K||CVE-2023-29336||Win32k Elevation of Privilege Vulnerability||Important|
|Windows Win32K||CVE-2023-24902||Win32k Elevation of Privilege Vulnerability||Important|