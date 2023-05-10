



Microsoft’s May 2023 security update is the lowest volume since August 2021, containing fixes for a total of 49 new vulnerabilities, including two actively exploited by attackers.

This update contains fixes for nine vulnerabilities in the open-source Chromium engine upon which Microsoft’s Edge browser is based. The company identified seven of the remaining 40 vulnerabilities as critical and the rest as “important.”

Actively Exploited Flaw

The two actively exploited vulnerabilities that Microsoft fixed in its May updates mark the fifth month in a row that Microsoft has disclosed at least one zero-day bug on Patch Tuesday. One of the new zero-days this month is the Win32k Privilege Escalation Vulnerability, tracked as (CVE-2023-29336), which can be exploited by an attacker to gain complete control of an affected system.

The fact that it was anti-malware vendor Avast who reported the bug to Microsoft suggests that threat actors are using the bug to distribute malware, according to Trend Micro’s Zero-Day Initiative (ZDI). The researchers said in a blog post.

“This kind of privilege escalation is usually combined with code execution bugs to spread malware,” said ZDI. “As usual, Microsoft has provided no information on how widespread these attacks may be.”

There are currently no workarounds or alternative fixes for this vulnerability. In short, patching is the most effective way to reduce risk, said M. Walters, vice president of vulnerability and threat research for Action 1. I commented by email. “In light of this, it is absolutely critical to update systems quickly with the patches provided,” Walters advised.

The second bug in this month’s update that attackers are currently exploiting is a security feature bypass vulnerability in the Windows Secure Boot feature, which protects the boot process from unauthorized changes and malicious software during system startup. To do.

Identified as CVE-2023-24932, this bug allows an attacker to bypass Secure Boot and install a boot policy of their choice. An attacker would need physical access or administrative privileges to the affected machine to exploit this vulnerability. Satnam Narang, a senior staff member at Tenable and his engineer, said the vulnerability was in his UEFI bootkit, which security his vendor ESET first reported to him in March 2023. It states that it appears to be related to BlackLotus.

Many RCEs again

Nearly a quarter, or 12, of the vulnerabilities disclosed by Microsoft in the May 2023 update allow remote code execution. Eight is an information disclosure flaw. and six allowed attackers to bypass security controls.

RCE affects Microsoft’s Network File System (NFS) protocol for file sharing and remote access over networks. Windows Pragmatic General Multicast (PGM); Windows Bluetooth Driver; and Windows Lightweight Directory Access Protocol (LDAP).

Several security vendors have identified the Microsoft NFS RCE (CVE-2023-24941) as a risk that organizations should prioritize. Microsoft assigned the CVE its highest severity score of 9.8 in the May update due to the fact that the attack associated with the bug is of low complexity and requires no user interaction. According to Microsoft, a low-privileged attacker could exploit this vulnerability over the network through an unauthenticated, specially crafted call to the NFS service.

The company has released mitigations for the vulnerability. However, organizations that have not yet installed the patch for a previous vulnerability in NFSV2.0 and NFSV3.0 (CVE-2022-26937) patched by Microsoft in May 2022 are advised not to use the mitigation. You have been warned.

“The NFS protocol is more common in Linux and Unix environments than in Windows, where the SMB protocol is more common,” commented Yoav Iellin, senior researcher at Silverfort, in an email. “Nevertheless, organizations using he Windows servers as NFS servers should consider applying Microsoft’s patch as soon as possible,” he said.

Other critical bugs

The SANS Internet Storm Center has identified a Windows LDAP RCE, CVE-2023-28283, that organizations need to pay attention to, even though Microsoft itself has rated the bug as unlikely to be exploited. I pointed it out as another bug in the May set. This vulnerability allows an attacker to retrieve her RCE within the context of the LDAP service via specially crafted calls to her LDAP.

An unauthenticated attacker who successfully exploited this vulnerability could execute code via a series of specially crafted LDAP calls, resulting in arbitrary code execution within the context of the LDAP service. But an attack on this vulnerability is very complex, he said SANS.

One of the critical flaws that Microsoft describes as likely to be exploited because proof-of-concept code is already available is CVE-2023-, an RCE in Windows Object Linking and Embedding (OLE) technology. 29325. An attacker could exploit this vulnerability by sending a specially crafted email to the victim and forcing the victim to open the email in her affected version of Microsoft Outlook or view it in her preview pane. can cause.

“A mere glimpse of a carefully crafted malicious email in Outlook’s preview pane can lead to remote code execution and compromise of the recipient’s computer,” said Iellin. .

Until the issue is patched, Microsoft recommends that users read their emails in plain text format to protect against flaws. The company also provided guidance on how administrators can configure Outlook to read all standard email in plain text.

