Microsoft fixes 38 flaws, including 3 zero-day vulnerabilities, with Patch Tuesday update
A lighter Patch Tuesday, but some rather nasty 0-day flaws exploited by cyber-criminalsBy Alfonso Maruccia
In context: The unofficial "Patch Tuesday" moniker describes Microsoft's decades-old tradition of releasing relevant security updates for all the company's products on the same day. Every second Tuesday of the month for the last 20 years, Redmond has updated Windows, Office and many other programs used by millions of PC users worldwide.
Compared to previous releases with their huge number of bug fixes, Patch Tuesday for May 2023 is a rather meager update providing security fixes for a total of 38 different flaws. Microsoft's official bulletin of the month includes security notices for several Windows components, programs belonging to the Office productivity suite, Sysinternals utilities for power users, and the Chromium-based Edge browser.
Flaws fixed by the latest Patch Tuesday are classified as follows: eight elevation of privilege vulnerabilities, four security feature bypass vulnerabilities, 12 remote code execution vulnerabilities, eight information disclosure vulnerabilities, five denial of service (DOS) vulnerabilities, and one spoofing vulnerability. Six of the bugs are classified as "critical," providing a potential way for cyber-criminals to remotely execute their malicious code.
The list of flaws solved in May's Patch Tuesday doesn't include 11 vulnerabilities found in the Edge browser, which were fixed with a previous update released on May 5.
As for non-security related updates, Microsoft released cumulative patch packages for Windows 11 (KB5026372) and Windows 10 (KB5026361, KB5026362). A complete report about all the fixed flaws and related advisories has been published by Bleeping Computer.
The most interesting zero-day flaw fixed with this month's Patch Tuesday is tracked as CVE-2023-24932, or "Secure Boot Security Feature Bypass Vulnerability." The bug has been exploited by cyber-criminals to spread the BlackLotus UEFI malware, a complex and dangerous threat to Windows security which, for attackers with physical access or administrative rights, could bypass Secure Boot and other advanced security features to completely "own" a target device.
The patch for CVE-2023-24932 addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default. Microsoft acknowledges this vulnerability is a bypass for the previously fixed CVE-2022-21894 flaw. The other actively exploited 0-day flaw of the month is CVE-2023-29336, or "Win32k Elevation of Privilege Vulnerability." An attacker could exploit this flaw in the Windows kernel driver to elevate user privileges to system level, Microsoft explains.
Last but not least, Patch Tuesday fixes a previously disclosed but not actively exploited 0-day vulnerability tracked as CVE-2023-29325, or "Windows OLE Remote Code Execution Vulnerability." The flaw could be exploited by sending a maliciously crafted email, forcing a vulnerable version of Microsoft Outlook to execute remote code on the target machine.
Microsoft rolled out this month's patches via Windows Update, update management systems such as WSUS, and as direct downloads available on the Microsoft Update Catalog website. Other software companies providing security fixes in sync with Microsoft's Patch Tuesday include Apple, Cisco, CISA, Google, and SAP.