Microsoft has released its May 2023 Patch Tuesday updates, including fixes for 38 vulnerabilities. This month’s patch is considered one of the smallest in the number of resolved vulnerabilities. However, it is still crucial as it includes a patch for a Windows bug and a Secure Boot bypass flaw, which have been exploited by attackers in the wild. The update also contains six Critical vulnerabilities allowing remote code execution.
Microsoft addresses three zero-day vulnerabilities, including two actively exploited in attacks and one publicly disclosed. The first zero-day vulnerability (CVE-2023-29336) is a privilege elevation vulnerability in the Win32k Kernel driver, allowing an attacker to gain SYSTEM privileges. The second zero-day (CVE-2023-24932) is a Secure Boot bypass flaw that allows an attacker with physical access or administrative rights to install an affected boot policy and install the BlackLotus UEFI bootkit. The third zero-day (CVE-2023-29325) is a Windows OLE flaw in Microsoft Outlook that can be exploited using specially crafted emails, which could result in the attacker executing remote code on the victim’s machine. Seeing that, Microsoft advises users to apply the updates and take additional measures to mitigate the vulnerabilities. Moreover, it is also important to use a fast vulnerability management tool.
Microsoft’s Patch Tuesday for May 2023, has addressed three zero-day vulnerabilities, two of which have been actively exploited in attacks.
CVE-2023-29336– Win32k Elevation of Privilege Vulnerability. This vulnerability involves a privilege elevation flaw in the Win32k Kernel driver that can give attackers SYSTEM privileges. Unknown actors actively exploited the bug, but Microsoft has not provided any details on the nature of these attacks.
CVE-2023-24932- Secure Boot Security Feature Bypass Vulnerability. This vulnerability fixes the Secure Boot bypass flaw that threat actors have exploited to install the BlackLotus UEFI bootkit. Above all, an attacker can install the malware with physical access or Administrative rights to a target device. UEFI bootkits are invisible to security software running within the operating system. The threat actor has been selling the BlackLotus bootkit on hacker forums since October 2022 and continues to update its features. Microsoft released guidance last month on how to detect BlackLotus UEFI bootkit attacks. This vulnerability is a bypass for the previously fixed CVE-2022-21894 vulnerability.
CVE-2023-29325- Windows OLE Remote Code Execution Vulnerability. This vulnerability is a Windows OLE flaw in Microsoft Outlook that can be exploited using specially crafted emails. The flaw can be triggered when a victim opens a malicious email or when Outlook previews such an email. In fact, an attacker could execute remote code on the victim’s machine if they successfully exploit the vulnerability. However, the attacker must win a ‘race’ condition and take additional actions to exploit the flaw successfully. With this in mind, users can mitigate this vulnerability by reading all messages in plain text format.
|Tag||CVE Number||CVE Title||Max Severity|
|Windows Secure Socket Tunneling Protocol (SSTP)||CVE-2023-24903||Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability||Critical|
|Windows Network File System||CVE-2023-24941||Windows Network File System Remote Code Execution Vulnerability||Critical|
|Windows PGM||CVE-2023-24943||Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability||Critical|
|Microsoft Office SharePoint||CVE-2023-24955||Microsoft SharePoint Server Remote Code Execution Vulnerability||Critical|
|Windows LDAP – Lightweight Directory Access Protocol||CVE-2023-28283||Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability||Critical|
|Windows OLE||CVE-2023-29325||Windows OLE Remote Code Execution Vulnerability||Critical|
Microsoft May Patch Tuesday 2023 security bulletin summary
This release includes security updates for the following products, features, and roles.
- Client Server Run-time Subsystem (CSRSS)
- Internet Control Message Protocol (ICMP)
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft OneDrive
- Microsoft PostScript Printer Driver
- Microsoft Printer Drivers
- Microsoft Windows Codecs Library
- Office for Android
- Remote Access Service Point-to-Point Tunneling Protocol
- Role: DNS Server
- Role: Windows Hyper-V
- Service Fabric
- Visual Studio
- Windows Accounts Control
- Windows Bluetooth Service
- Windows Central Resource Manager
- Windows Cryptographic Services
- Windows Defender
- Windows HTTP Protocol Stack
- Windows HTTP.sys
- Windows Internet Key Exchange (IKE) Protocol
- Windows Kernel
- Windows Partition Management Driver
- Windows Point-to-Point Protocol over Ethernet (PPPoE)
- Windows Remote Procedure Call
- Windows Remote Procedure Call Runtime
- Windows Resilient File System (ReFS)
- Windows Secure Channel
- Windows SmartScreen
- Windows TPM
- Windows Win32K
Product: Microsoft Windows.
CVEs/Advisory: CVE-2022-26928, CVE-2023-24898, CVE-2023-24900, CVE-2023-24901, CVE-2023-24902, CVE-2023-24903, CVE-2023-24904, CVE-2023-24932, CVE-2023-24939, CVE-2023-24940, CVE-2023-24941, CVE-2023-24942, CVE-2023-24943, CVE-2023-24945, CVE-2023-24946, CVE-2023-24949, CVE-2023-28251, CVE-2023-28283, CVE-2023-28290, CVE-2023-29324, CVE-2023-29325, CVE-2023-29336, CVE-2023-29340, CVE-2023-29341
Impact: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Denial of Service
Product: Microsoft Office.
CVE/Advisory: CVE-2021-28452, CVE-2022-41104, CVE-2023-21738, CVE-2023-23396, CVE-2023-23398, CVE-2023-24950, CVE-2023-24953, CVE-2023-24954, CVE-2023-24955, CVE-2023-29333, CVE-2023-29335, CVE-2023-29344
Impact: Denial of Service, Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing
Also, update previous Patch Tuesday updates to stay secure and safe.