Microsoft has released Patch Tuesday updates for May 2023 to address 38 security flaws, including a zero-day bug that it said is being actively exploited in the wild.
Trend Micro’s Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it noted that “this number is expected to increase in the coming months.”
Of the 38 vulnerabilities, six are classified as critical and 32 are considered important in severity. Eight of the flaws have been tagged with Microsoft’s “Exploitation More Likely” assessment.
That’s in addition to 18 flaws, including 11 bugs since the beginning of May, that the Windows maker addressed in its Chromium-based Edge browser after the April Patch Tuesday updates were released.
Topping the list is CVE-2023-29336 (CVSS score: 7.8), a privilege escalation flaw in Win32k that has been actively exploited. It was not immediately clear how extensive the attacks were.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said, crediting Avast researchers Jan Vojtěšek, Milánek and Luigino Camastra for reporting the flaw.
The development has prompted the US Cyber and Infrastructure Security Agency (CISA) to add the flaw to its catalog of known exploited vulnerabilities (KEV), urging organizations to apply vendor fixes by May 30 2023.
Also of note are two publicly known flaws, one of which is a critical remote code execution flaw affecting Windows OLE (CVE-2023-29325, CVSS Score: 8.1) that an actor could weaponize by sending an electronic specially designed to the victim. .
Microsoft, as mitigations, recommends that users read email messages in plain text format to protect against this vulnerability.
The second publicly known vulnerability is CVE-2023-24932 (CVSS score: 6.7), an omission of the Secure Boot security feature used with the BlackLotus UEFI Boot Kit to exploit CVE-2022- 21894 (aka Baton Drop), which was resolved in January 2022. .
“This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Software Interface (UEFI) level while Secure Boot is enabled,” Microsoft said in a separate guidance.
“This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation depends on the attacker having physical access or local administration privileges to the target device.”
It’s worth noting that the fix shipped by Microsoft is disabled by default and requires customers to manually apply rollbacks, but not before updating all bootable media.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
“Once the mitigation for this issue is enabled on a device, meaning the rollbacks have been applied, it cannot be reversed if you continue to use Secure Boot on that device,” Microsoft warned. “Even reformatting the disk will not remove rollbacks if they have already been applied.”
The tech giant said it is taking a phased approach to fully connect the attack vector to avoid risks of unintended disruptions, an exercise expected to stretch into the first quarter of 2024.
“Modern UEFI-based secure boot schemes are extremely difficult to configure properly and/or significantly reduce their attack surfaces,” firmware security firm Binarly noted earlier this March . “That said, bootloader attacks are likely to go away soon.”
Software patches from other vendors
In addition to Microsoft, other vendors have also released security updates in recent weeks to fix various vulnerabilities, including:
This month’s Microsoft Patch Tuesday saw a variety of bug fixes and security updates, and among the highlights was the resolution of a critical zero-day bug that could allow for remote code execution. In total, 38 flaws were fixed, and this patch is essential for all PC users.
The bug, which was first identified in May, affects several Windows components and services, such as Windows Server and Windows 10’s GDI printer setup. The bug was subject to a ‘double zero-day attack’, as Microsoft said it was “actively being exploited” before the patch was applied.
The patch released by Microsoft updates the Graphics Device Interface (GDI) systems, the Windows Shell, the Win32k network, and the Remote Desktop Protocol (RDP). It also addresses vulnerabilities in third-party software, such as Adobe Font Manager Library and PowerPoint Viewer.
An additional patch was also released as part of Microsoft’s monthly round of updates. It fixes a “privilege elevation” bug that could allow a hacker to access user credentials and other sensitive information on a device. The latest patch update also includes improvements to the Windows 10 May 2020 Update, which was recently released.
These bug fixes and security updates released by Microsoft serve to illustrate the complex and ever-changing nature of cyber security. At Ikaroa, we are committed to staying up to date on the latest advances in cybersecurity and providing our clients with customized solutions to keep their digital assets secure. We believe that security must be an essential element of any digital product and we always strive to keep up with the latest technological trends.