It’s that time of the month again: We're looking at May's Patch Tuesday roundup. Microsoft has released its monthly update, and while the total number of patched vulnerabilities is relatively low at 38, among them are three zero-day vulnerabilities.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. Of the three included in this month’s update cycle, two have been found to be actively exploited and the third has been publicly disclosed.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three zero-days are listed as:
- CVE-2023-29336: a Win32k Elevation of Privilege (EoP) vulnerability. Exploitation of this vulnerability in the Win32k Kernel driver could provide an attacker with SYSTEM privileges. The Cybersecurity & Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2023-24932: a Secure Boot security feature bypass vulnerability. To exploit the vulnerability, an attacker needs either physical access or administrative rights to a target device to install an affected boot policy. The vulnerability has been used to install the BlackLotus UEFI bootkit, a type of malicious infection which targets the Master Boot Record located on the physical motherboard of the computer. Attaching malicious software in this manner can allow for a malicious program to be executed prior to the loading of the operating system. The primary benefit to a bootkit infection is that it cannot be detected by standard operating systems processes because all of the components reside outside of the Windows file system. UEFI and Secure Boot have been very effective in reducing the number of bootkits, but this vulnerability allows an attacker to bypass those restrictions.
- CVE-2023-29325: a Windows OLE Remote Code Execution (RCE) vulnerability. This vulnerability is present in Microsoft Outlook and Explorer and can be exploited by attackers in order to remotely install malware. Microsoft says this vulnerability can be exploited merely by viewing a specially-crafted email in the Outlook Preview Pane. This type of RCE vulnerability is bound to become very popular among malware peddlers, and knowing that it has been publicly disclosed means that it is available for them to use. Microsoft advises users that can't install the patch immediately to read email messages in plain text format.
Another vulnerability to keep an eye on is an RCE vulnerability with a CVSS score of 9.8 out of 10. Listed as CVE-2023-24941 this is a Windows Network File System (NFS) RCE vulnerability which can be exploited over the network by making an unauthenticated, specially crafted request. This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation. More information about how to do this and when not to can be found in the Microsoft advisory about this vulnerability under Mitigation.
Other vendors
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
Apple released an update addressing two actively exploited zero-day flaws.
Cisco released security updates.
Google has released Android updates.
Mozilla releases security advisories for Firefox 113 and Firefox ESR 102.11.
SAP released patch day updates.
VMWare fixed four vulnerabilities in virtualization software.
Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.