May 9, 2023

Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.

First up in May’s zero-day flaws is CVE-2023-29336, which is an “elevation of privilege” weakness in Windows which has a low attack complexity, requires low privileges, and no user interaction. However, as the SANS Internet Storm Center points out, the attack vector for this bug is local.

“Local Privilege escalation vulnerabilities are a key part of attackers’ objectives,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Once they gain initial access they will seek administrative or SYSTEM-level permissions. This can allow the attacker to disable security tooling and deploy more attacker tools like Mimikatz that lets them move across the network and gain persistence.”

The zero-day patch that has received the most attention so far is CVE-2023-24932, which is a Secure Boot Security Feature Bypass flaw that is being actively exploited by “bootkit” malware known as “BlackLotus.” A bootkit is dangerous because it allows the attacker to load malicious software before the operating system even starts up.

According to Microsoft’s advisory, an attacker would need physical access or administrative rights to a target device, and could then install an affected boot policy. Microsoft gives this flaw a CVSS score of just 6.7, rating it as “Important.”

Adam Barnett, lead software engineer at Rapid7, said CVE-2023-24932 deserves a considerably higher threat score.

“Microsoft warns that an attacker who already has Administrator access to an unpatched asset could exploit CVE-2023-24932 without necessarily having physical access,” Barnett said. “Therefore, the relatively low CVSSv3 base score of 6.7 isn’t necessarily a reliable metric in this case.”

Barnett said Microsoft has provided a supplementary guidance article specifically calling out the threat posed by BlackLotus malware, which loads ahead of the operating system on compromised assets, and provides attackers with an array of powerful evasion, persistence, and Command & Control (C2) techniques, including deploying malicious kernel drivers, and disabling Microsoft Defender or Bitlocker.

“Administrators should be aware that additional actions are required beyond simply applying the patches,” Barnett advised. “The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. The attack surface is not limited to physical assets, either; Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Rapid7 has noted in the past that enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.”

In addition to the two zero-days fixed this month, Microsoft also patched five remote code execution (RCE) flaws in Windows, two of which have notably high CVSS scores.

CVE-2023-24941 affects the Windows Network File System, and can be exploited over the network by making an unauthenticated, specially crafted request. Microsoft’s advisory also includes mitigation advice. The CVSS for this vulnerability is 9.8 – the highest of all the flaws addressed this month.

Meanwhile, CVE-2023-28283 is a critical bug in the Windows Lightweight Directory Access Protocol (LDAP) that allows an unauthenticated attacker to execute malicious code on the vulnerable device. The CVSS for this vulnerability is 8.1, but Microsoft says exploiting the flaw may be tricky and unreliable for attackers.

Another vulnerability patched this month that was disclosed publicly before today (but not yet seen exploited in the wild) is CVE-2023-29325, a weakness in Microsoft Outlook and Explorer that can be exploited by attackers to remotely install malware. Microsoft says this vulnerability can be exploited merely by viewing a specially-crafted email in the Outlook Preview Pane.

“To help protect against this vulnerability, we recommend users read email messages in plain text format,” Microsoft’s writeup on CVE-2023-29325 advises.

“If an attacker were able to exploit this vulnerability, they would gain remote access to the victim’s account, where they could deploy additional malware,” Immersive’s Breen said. “This kind of exploit will be highly sought after by e-crime and ransomware groups where, if successfully weaponized, could be used to target hundreds of organizations with very little effort.”

For more details on the updates released today, check out roundups by Action1, Automox and Qualys, If today’s updates cause any stability or usability issues in Windows, will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

12 thoughts on “Microsoft Patch Tuesday, May 2023 Edition

  1. mealy

    “To help protect against this vulnerability, we recommend users read email messages in plain text format”
    “It would also help if they never open Outlook ever again, but we can’t officially recommend that yet.”

  2. Wannabe techguy

    At least four dozen?!! I don’t miss Windoze.

    1. Doug in MKE

      Wow talk about a situation ripe for civil trial for assault, with subsequent huge damages, … it’s Microsoft for making bazillion$ off of poorly designed and implemented Application and Operating Systems.

      “Preview Pane” should have nevsr been invented (or given the seemngly innocuous moniker). “AutoOpen (and Auto Get the Virus Of The Week)” is more descriptive. Likewise, the default-to-ON display of HTML-based email messages was a Bad Idea (and the invention of HTML Mail in the first place) for allowing easy embedding of malware.should have never seen the light of day. The dangers of those inventions were evident when they were introduced…but once the Genie was out of the bottle and Users saw it by default, woe to the SysAdmin who tries to get users to stop. I sure wiish the “workaround” write-up included mention of Registry Keys and Group Policy settings to mass-deploy turning OFF Preview Pane and turning ON “View As PlainText”.

      Meanwhile, this whole Safeboot Bypass fiasco is a True Downer. Great idea to invent a DOS-based replacement (UEFI) for BIOS in the first place. Reading the details, this week’s patch is only the beginning of a six month process. The post-patch manual intervention REQUIRE updated Installation Media, and render useless all image backups and Recovery Media. The “solution” awaits additional software from Microsoft and from OEM vendors. Moreover, dual-boot environments await solutions fro the other Operating System developers. If you take post-patch action to actually execute the Vulnerability Mitigations, you risk bricking the computer. There are going to be a lot of very stuck people.

      1. Mahhn

        MS has always been and still is Dos (now called powershell) and xml tables. It never modernized, it just got fatter and fatter.
        So the same types of exploits (injections) are developed over and over, since all they can do is patch (block commands) until it’s so bloated or locked down it’s useless.
        Time for a new OS from scratch, without dos and xml. But, I’m not holding my breath. There’s nobody to build it but AI, and that is sad (in multiple ways).

  3. Norty

    This made me laff but it’s true. Well said!

  4. Hlaton

    Why again microsoft forced upgrades to windows 10 clients with big screen advisory for install the windows 11

    1. mealy

      Because they’re ending new feature rollouts for 10.
      So if you want to experience the latest bugs, you need 11.

      1. Doug In MKE

        but to get Win11, your hardware must support it… which is usually an issue of the video chip being able to support Windows Display Driver Model 1.1 or something else not readily apparent. Yet, I distinctly recall, at the Windows 10 rollout, Microsoft declaring something along the lines of “Win 10 is the last version and we will update it forever”.

        The Planned Obsolescence Model embraced by Microsoft Windows, Google Android, and Apple IOS harkens back to the ’50’s Tail Fin era mindset of the US Automobile Industry — and look where that got them. I shoudn’t have to throw out my cellphone or my computer just because some punk fad-addled coder can’t write unbloated compact clean code that is backwards compatible with devices introduced just before “they” started Tech School to learn This Year’s Slick New Language.

        There are plenty of flavors of Linux and of OpenBSD/ FreeBSD/ NetBSD out there that run just fine on “old” hardware. Microsoft Beware.

        1. mealy

          You’re quite right but the vast majority of people aren’t linux-ready.
          It’s been repeatd “any day now” some new distro would win that,
          but the bridge is too far. Apple also fails at once core competency.
          Windows leads you into a briar patch but holds your hand mostly.
          Linux is like the matrix, you need to believe or you fall off a building.

  5. RK

    I updated my desktop and notebook a couple days ago. Both W10 22H2. Restarted OK. No probs so far.

Comments are closed.