Microsoft has released an optional patch to address a kernel information disclosure vulnerability affecting systems running multiple versions of Windows, including the latest versions of Windows 10, Windows Server, and Windows 11.
Despite having an average severity CVSS baseline score of 4.7/10, Redmond scored this security flaw (CVE-2023-32019) as important severity.
Reported by Google Project Zero security researcher Mateusz Jurczyk, the bug allows authenticated attackers to access the heap memory of privileged processes running on unpatched devices.
While successful exploitation does not require threat actors to have administrator privileges or other elevated privileges, it does depend on their ability to coordinate their attacks with another privileged process running by another user on the system. target.
What distinguishes the CVE-2023-32019 patch from other security updates released as part of the June 2023 Patch Tuesday is that it is disabled by default, even after the updates from this patch have been applied. week.
As Microsoft explains in a support document, you need to edit the registry on vulnerable Windows systems to activate the fix.
“To mitigate the vulnerability associated with CVE-2023-32019, install Windows June 2023 Update or later Windows Update”, Microsoft said.
“By default, the fix for this vulnerability is disabled. To enable the fix, you must set a registry key value based on your Windows operating system.”
While Microsoft didn’t provide additional details on why this fix is disabled by default, a spokesperson told BleepingComputer that “the update should be enabled by default in a future release.”
However, it’s unclear whether activating the patch can cause any issues in the operating system, so it may be safer to test it on a few machines before doing a large-scale deployment.
How to enable CVE-2023-32019 fix
Depending on the version of Windows running on your device, you will have to add the following under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides registration key:
- Windows 10 20H2, 21H2, 22H2: Add a new DWORD registry value named 4103588492 with a data value of 1
- Windows 11 21H2: Add a new DWORD registry value named 4204251788 with a data value of 1
- Windows 11 22H2: Add a new DWORD registry value named 4237806220 with a data value of 1
- Windows Server 2022: Add a new DWORD registry value named 4137142924 with a data value of 1
On Windows 10 1607 and Windows 10 1809 you will need to add a new DWORD registry value named ‘LazyRetryOnCommitFailure’ with a data value of 0 under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager registration key.
This isn’t the first time the company has released an optional patch for a Windows security vulnerability.
Last month, Microsoft said that a patch fixing Secure Boot bug CVE-2023-24932 exploited by BlackLotus UEFI malware as zero-day required additional manual steps in addition to installing the security update to remove the vector offensive.
As explained at the time, Redmond is taking a phased approach to applying CVE-2023-24932 protections to reduce the impact on customers.
However, it’s unclear if enabling the feature can cause any issues in the operating system, so it may be safer to test it on a few machines before rolling out on a large scale.
Microsoft also warned that there is no way to roll back the changes once the CVE-2023-24932 mitigations are fully deployed and enabled on a system.