Patch O’clock!

Microsoft has released its Patch Tuesday updates for May 2023, aimed at addressing a total of 38 security
vulnerabilities. Among these, two zero-day bugs are actively being exploited in the wild. Trend Micro's
Zero Day Initiative (ZDI) noted that this volume of vulnerabilities is the lowest since August 2021, but
expects the number to increase in the coming months.
Out of the 38 vulnerabilities, six are classified as Critical, while 32 are rated as Important in terms of
severity. Microsoft has identified eight flaws as having a higher likelihood of exploitation. Additionally,
Microsoft has resolved 18 flaws in its Chromium-based Edge browser since the April Patch Tuesday
updates, including 11 bugs that were addressed since the beginning of May.
At the top of the list is CVE-2023-29336, which has a CVSS score of 7.8. This vulnerability is a privilege
escalation flaw in Win32k and is currently being actively exploited. The full extent of the attacks and their
prevalence is not immediately known.
According to Microsoft, if successfully exploited, an attacker could gain SYSTEM privileges. The credit
for reporting this flaw goes to Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra.
Due to the seriousness of the vulnerability, the U.S. Cybersecurity and Infrastructure Security Agency
(CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalogue. CISA urges organizations to
apply the provided fixes from the vendor before May 30, 2023.
There are two publicly known flaws, one of which is a critical remote code execution flaw that affects
Windows OLE (CVE-2023-29325) with a CVSS score of 8.1. This vulnerability could be exploited by an
attacker through the use of a specially crafted email sent to the victim. In response to this vulnerability,
Microsoft is advising users to read email messages in plain text format as a mitigation measure to protect
against potential attacks leveraging this flaw.
The second publicly known vulnerability is CVE-2023-24932, with a CVSS score of 6.7. This
vulnerability involves a Secure Boot security feature bypass. It is exploited by the BlackLotus UEFI
bootkit to take advantage of CVE-2022-21894 (also known as Baton Drop), which was addressed by
Microsoft in January 2022.

The specific impact of CVE-2023-24932 is that it enables an attacker to execute self-signed code at the
Unified Extensible Firmware Interface (UEFI) level, even when Secure Boot is enabled. According to
Microsoft's separate guidance, threat actors primarily utilize this vulnerability for persistence and defense
evasion purposes. However, successful exploitation of this vulnerability requires either physical access to
the targeted device or local administrator privileges.

It is important to note that the fix provided by Microsoft is disabled by default. Customers are required to
manually apply the revocations after updating all bootable media to effectively address this vulnerability.
Microsoft issued a cautionary statement stating that once the mitigation for the mentioned vulnerability
(CVE-2023-24932) is enabled on a device, it cannot be reverted if Secure Boot is still in use. Even
reformatting the disk will not remove the applied revocations.
To ensure the security of the affected devices, Microsoft is implementing a phased approach to fully
address the attack vector. This approach is being taken to mitigate any potential risks of unintended
disruptions and is expected to continue until the first quarter of 2024.
According to firmware security firm Binarly, modern UEFI-based Secure Boot schemes are complex to
configure correctly and reduce attack surfaces effectively. As a result, bootloader attacks are likely to
remain a persistent security concern.

Furthermore, its patch season and some other vendors have recently released patches, namely;

 Zoho
 VMware
 SolarWinds
 Fortinet
 Google Chrome
 Debian
 Red Hat
 Apple
 AMD
 Android
 Apache Projects