Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including two zero-day bugs that it said are being actively exploited in the wild.
Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months."
Of the 38 vulnerabilities, six are rated Critical and 32 are rated Important in severity. Eight of the flaws have been tagged with "Exploitation More Likely" assessment by Microsoft.
This is aside from 18 flaws – including 11 bugs since the start of May – the Windows maker resolved in its Chromium-based Edge browser following the release of April Patch Tuesday updates.
Topping the list is CVE-2023-29336 (CVSS score: 7.8), a privilege escalation flaw in Win32k that has come under active exploitation. It's not immediately clear how widespread the attacks are.
"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said, crediting Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra for reporting the flaw.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply vendor fixes by May 30, 2023.
Also of note are two publicly known flaws, one of which is a critical remote code execution flaw impacting Windows OLE (CVE-2023-29325, CVSS score: 8.1) that could be weaponized by an actor by sending a specially crafted email to the victim.
Microsoft, as mitigations, is recommending that users read email messages in plain text format to protect against this vulnerability.
The second publicly known vulnerability is CVE-2023-24932 (CVSS score: 6.7), a Secure Boot security feature bypass that's weaponized by the BlackLotus UEFI bootkit to exploit CVE-2022-21894 (aka Baton Drop), which was resolved in January 2022.
"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled," Microsoft said in a separate guidance.
"This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device."
It's worth noting that the fix shipped by Microsoft is disabled by default and requires customers to manually apply the revocations, but not before updating all bootable media.
"Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device," Microsoft cautioned. "Even reformatting of the disk will not remove the revocations if they have already been applied."
The tech giant said it's taking a phased approach to completely plug the attack vector to avoid unintended disruption risks, an exercise that's expected to stretch until the first quarter of 2024.
"Modern UEFI-based Secure Boot schemes are extremely complicated to configure correctly and/or to reduce their attack surfaces meaningfully," firmware security firm Binarly noted earlier this March. "That being said, bootloader attacks are not likely to disappear anytime soon."
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
- Adobe
- AMD
- Android
- Apache Projects
- Apple
- Aruba Networks
- Cisco
- Citrix
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Hitachi Energy
- HP
- IBM
- Intel
- Juniper Networks
- Lenovo
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NETGEAR
- NVIDIA
- Palo Alto Networks
- Qualcomm
- Samsung
- SAP
- Schneider Electric
- Siemens
- SolarWinds
- Synology
- Veritas
- VMware
- Zoho, and
- Zyxel