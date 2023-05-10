



While May’s Patch Tuesday was relatively small, one Windows zero-day will burden administrators over the next few months.

Microsoft released 38 unique new vulnerabilities in 13 previously published security updates that were rated 6 critical and updated, for a total of 51 CVEs addressed in May Patch Tuesday. solved. The company addressed two new Windows zero-days (one of which was publicly disclosed) and another publicly disclosed about a Windows OLE vulnerability. Of the republished security updates, 11 were reposted due to information changes.

Additional work will be required to fix Windows zero-day secure boot bug

Administrators complete most of their work on Patch Tuesday after deploying Windows security updates, but one vulnerability requires extensive manual effort to protect systems from bootkit malware. Become.

CVE-2023-24932 is a Secure Boot security feature bypass vulnerability. This vulnerability affecting Windows Server and desktop systems is being actively exploited and publicly disclosed. Attackers need physical access to the system or administrative privileges to exploit the BlackLotus Bootkit vulnerability and execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level.

UEFI bootkits are particularly dangerous because they run before the operating system and have the ability to bypass or turn off multiple Windows protections such as BitLocker and Microsoft Defender Antivirus.

Applying the patch is only the first step. Next, the administrator needs to obtain updated bootable media from Microsoft or the device manufacturer and go through the process to update the boot manager. Only after performing these steps can customers turn on security update protection.

Chris Gettle

“If you’re using some kind of bootable media to provision a new system, you should update it to a version that might inject bad stuff when you install the new OS. ,” said Ivanti Vice President Chris Goettl. of security product management.

This is the first of three phases to resolve the issue. On Patch Tuesday in July, Microsoft will release more update options to ease the complexity of the deployment process. In the final phase, scheduled for the first quarter of 2024, Microsoft will enable the fix for CVE-2023-24932 by default, enabling boot manager revocation on Windows systems.

“With updates like this, there are so many additional steps to consider, and it’s a pain,” said Goettl. “When you have that amount of work, one person can get stuck trying to do all these things for a very long time.”

Another zero-day in the May Patch Monthly is the Win32k privilege escalation vulnerability rated Important (CVE-2023-29336). This flaw affects Windows 10 and Windows Server 2008-2016 systems. A successful exploit could give the attacker complete control over the system. Fixing this bug shouldn’t be too much of a hassle. Applying this month’s cumulative update resolves this vulnerability.

Windows OLE flaw exposes Microsoft Outlook to potential threats

A critical remote code execution vulnerability (CVE-2023-29325) in Windows Object Linking and Embedding (OLE) has been made public.

Microsoft reported the availability of proof-of-concept code, but did not detect any active exploits prior to releasing the security update for this flaw. An attacker could exploit this vulnerability, which affects Windows Server and desktop systems, over the network without user intervention.

Windows OLE refers to an integrated feature of the Windows OS that displays previews of objects such as spreadsheets and images without the need to run a separate application.

Microsoft Outlook’s preview pane is an attack vector. When a specially crafted email recipient views the content in the preview pane, an attacker could remotely execute her code on that user’s machine.

“If you’re really worried about this and you don’t plan on pushing an OS update for a while, you can change your Outlook settings to display emails in plain text until the update happens,” Goettl said. said.

Rich Text Format (RTF) documents are also susceptible to this issue.

Other Notable Security Updates for May Patch Tuesday

One of the critical vulnerabilities not included in the Windows product family this month is CVE-2023-24955. This is a remote code execution vulnerability in SharePoint Server with a CVSS base score of 7.2. Microsoft rates the attack complexity as low and the exploit does not require any user interaction.

“A network-based attack could allow an attacker authenticated as the site owner to remotely execute code on the SharePoint server,” Microsoft wrote in its CVE note.

This vulnerability affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition.

The Windows Network File System (NFS) Remote Code Execution Vulnerability (CVE-2023-24941) is rated Critical with a base CVSS score of 9.8. An attacker could exploit this vulnerability over the network using specially crafted calls to his NFS service on Windows Server systems, without requiring authentication or user interaction, to execute code remotely. increase.

Organizations unable to patch immediately can mitigate affected machines by disabling NFS version 4.1, but Microsoft warned that this could have a negative impact on the environment, so it will be released in May 2022 for Windows It warns that it should only be run on systems with security patches applied.

