Headline
Update now! May 2023 Patch Tuesday tackles three zero-days
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft
Tags: CVE-2023-29336
Tags: CVE-2023-24932
Tags: bootkit
Tags: CVE-2023-29325
Tags: Outlook
Tags: preview
Tags: CVE-2023-24941
Tags: Apple
Tags: Cisco
Tags: Google
Tags: Android
Tags: VMWare
Tags: SAP
Tags: Mozilla
Microsoft’s Patch Tuesday round up for May 2023 includes patches for three zero-day vulnerabilities and one critical remote code execution vulnerability
(Read more…)
The post Update now! May 2023 Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
It’s that time of the month again: We’re looking at May’s Patch Tuesday roundup. Microsoft has released its monthly update, and while the total number of patched vulnerabilities is relatively low at 38, among them are three zero-day vulnerabilities.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. Of the three included in this month’s update cycle, two have been found to be actively exploited and the third has been publicly disclosed.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three zero-days are listed as:
- CVE-2023-29336: a Win32k Elevation of Privilege (EoP) vulnerability. Exploitation of this vulnerability in the Win32k Kernel driver could provide an attacker with SYSTEM privileges. The Cybersecurity & Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2023-24932: a Secure Boot security feature bypass vulnerability. To exploit the vulnerability, an attacker needs either physical access or administrative rights to a target device to install an affected boot policy. The vulnerability has been used to install the BlackLotus UEFI bootkit, a type of malicious infection which targets the Master Boot Record located on the physical motherboard of the computer. Attaching malicious software in this manner can allow for a malicious program to be executed prior to the loading of the operating system. The primary benefit to a bootkit infection is that it cannot be detected by standard operating systems processes because all of the components reside outside of the Windows file system. UEFI and Secure Boot have been very effective in reducing the number of bootkits, but this vulnerability allows an attacker to bypass those restrictions.
- CVE-2023-29325: a Windows OLE Remote Code Execution (RCE) vulnerability. This vulnerability is present in Microsoft Outlook and Explorer and can be exploited by attackers in order to remotely install malware. Microsoft says this vulnerability can be exploited merely by viewing a specially-crafted email in the Outlook Preview Pane. This type of RCE vulnerability is bound to become very popular among malware peddlers, and knowing that it has been publicly disclosed means that it is available for them to use. Microsoft advises users that can’t install the patch immediately to read email messages in plain text format.
Another vulnerability to keep an eye on is an RCE vulnerability with a CVSS score of 9.8 out of 10. Listed as CVE-2023-24941 this is a Windows Network File System (NFS) RCE vulnerability which can be exploited over the network by making an unauthenticated, specially crafted request. This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation. More information about how to do this and when not to can be found in the Microsoft advisory about this vulnerability under Mitigation.
Other vendors
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
Apple released an update addressing two actively exploited zero-day flaws.
Cisco released security updates.
Google has released Android updates.
Mozilla releases security advisories for Firefox 113 and Firefox ESR 102.11.
SAP released patch day updates.
VMWare fixed four vulnerabilities in virtualization software.
Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
TRY NOW
Related news
Microsoft patched a record number of 147 new CVEs this month, though only three are rated "Critical."
It's unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an advanced
Details have emerged about a now-patched actively exploited security flaw in Microsoft Windows that could be abused by a threat actor to gain elevated privileges on affected systems. The vulnerability, tracked as CVE-2023-29336, is rated 7.8 for severity and concerns an elevation of privilege bug in the Win32k component. "An attacker who successfully exploited this vulnerability could gain
Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2023, including vulnerabilities that were added between April and May Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. It’s been a […]
A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
Windows Network File System Remote Code Execution Vulnerability
Windows OLE Remote Code Execution Vulnerability
One of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case.
One of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case.
One of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case.
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation: This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation. **Warning** You should NOT apply this mitigation unless you have installed the May 2022 Windows security updates. Those updates address CVE-2022-26937 which is a Critical vulnerability in NFSV2.0 and NFSV3.0. The following PowerShell command will disable those versions: PS C:\Set-NfsServerConfiguration -EnableNFSV4 $false After running the command, you will need to restart NFS server or reboot the machine. To restart NFS server, start a **cmd** window with...
**Is the Preview Pane an attack vector for this vulnerability?** Yes, the Preview Pane is an attack vector.
Summary Summary Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability. This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could bypass Secure Boot.
**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.