Microsoft's security update for May 2023 is the lightest in volume since August 2021 with fixes for a total of 49 new vulnerabilities including two that attackers are actively exploiting.
The update includes fixes for nine vulnerabilities in the open-source Chromium engine on which Microsoft's Edge browser is based. The company identified seven of the remaining 40 vulnerabilities as being of critical severity and the rest as being "important".
Actively Exploited Flaws
The two actively exploited vulnerabilities that Microsoft fixed in its May update marks the fifth straight month the company has disclosed at least one zero-day bug on Patch Tuesday. One of the new zero-days this month is a Win32k privilege escalation vulnerability tracked as (CVE-2023-29336) that attackers can exploit to gain complete control of affected systems.
The fact that it was an anti-malware vendor — Avast — that reported the bug to Microsoft suggests that threat actors are using the bug to distribute malware, researchers at Trend Micro's Zero Day Initiative (ZDI) said in a blog post.
"This type of privilege escalation is usually combined with a code execution bug to spread malware," ZDI said. "As always, Microsoft offers no information about how widespread these attacks may be."
Currently, there are no workarounds or alternative fixes available for the flaw, which means patching is the most effective way to mitigate risk, said M. Walters, vice president of vulnerability and threat research at Action 1 in emailed comments. "In light of this, it is absolutely crucial to promptly update systems with the provided patches," Walters advised.
The second bug in this month's update that attackers are currently exploiting is a security feature bypass vulnerability in the Windows Secure Boot feature for protecting the boot process from unauthorized changes and malicious software during system startup.
The bug, identified as CVE-2023-24932, allows an attacker to bypass Secure Boot and install a boot policy of their choice. An attacker would need physical access or administrative rights on an affected machine to exploit the flaw. Satnam Narang, senior staff engineer at Tenable, said the flaw appears related to BlackLotus, a UEFI bootkit that security vendor ESET first reported on in March 2023.
A Slew of RCEs — Again
Nearly one-quarter, or 12 of the vulnerabilities that Microsoft disclosed in its May 2023 update enable remote code execution; eight are information disclosure flaws; and six let attackers bypass security controls.
The RCEs affect Microsoft's Network File System (NFS) protocol for file sharing and remote access over a network; the Windows Pragmatic General Multicast (PGM); Windows Bluetooth Driver; and the Windows Lightweight Directory Access Protocol (LDAP).
Several security vendors identified an RCE in Microsoft NFS (CVE-2023-24941) as one that organizations need to prioritize due to the risk it presents. Microsoft has assigned the CVE a severity score of 9.8 — the highest in the May update — because of the low attack complexity associated with the bug, and also the fact that it requires no user interaction. An attacker with low privileges could exploit the flaw over the network via an unauthenticated, specially crafted call to an NFS service, Microsoft said.
The company has released a mitigation for the vulnerability. But it cautioned organizations from using the mitigation if they have not already installed the patch for a previous flaw in NFSV2.0 and NFSV3.0 (CVE-2022-26937) that Microsoft patched in May 2022.
"The NFS protocol is more common in Linux and Unix environments than in Windows, where SMB protocol is more common," said Yoav Iellin, senior researcher, Silverfort, in an emailed comment. "Even so, organizations using Windows server as their NFS server should consider applying Microsoft's fix promptly," Iellin said.
Other Critical Bugs
The SANS Internet Storm Center pointed to CVE-2023-28283, an RCE in Windows LDAP as another bug in May's set that organization should pay attention to even though Microsoft itself has assessed the bug as less likely to be exploited. The vulnerability gives attackers a way to gain RCE within the context of the LDAP service via specially crafted LDAP calls.
An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service. But attacking the vulnerability involves a high degree of complexity, SANS said.
One of the critical flaws that Microsoft described as more likely to be exploited because proof-of concept code for it is already available, is CVE-2023-29325, an RCE in Windows Object Linking and Embedding (OLE) technology. An attacker can trigger the flaw by sending a specially crafted email to a victim and having the victim either opening the email with an affected version of Microsoft Outlook, or simply viewing it in the preview pane.
"The simple act of glancing at a carefully crafted malicious email in Outlook's preview pane is enough to enable remote code execution and potentially compromise the recipient's computer," Iellin said.
Microsoft recommends that users read email in plain text format to protect against the flaw until they patch the issue. The company also provided guidance on how administrators can configure Outlook to read all standard email in plain text.