Patch Tuesday May 2023: Vulnerability Count Dips but UEFI Bootkits Deserve Your Attention

With only 38 new vulnerabilities being addressed this month, is this a calm before the storm? From my previous experience, dips in the number of addressed vulnerabilities on any given Microsoft Patch Tuesday are often followed by a sharp increase over the following months. While you shouldn’t plan IT strategies around anecdotes or aching joints, there is some wisdom to be gained from reading the winds. Since we have so few Microsoft updates for this month, take the opportunity to get ahead while you can and brace for a larger number of vulnerabilities and the possible need for manual mitigations to be applied after the next Patch Tuesday.
Microsoft Vulnerabilities
Microsoft has released fixes or updates for a total of 52 different vulnerabilities. Some of these are simply republishing older fixes, like CVE-2013-3900, or updates to existing vulnerabilities like CVE-2023-23398. Of the 38 new vulnerabilities three are zero-days that are either under active exploitation or are designated as exploitation more likely.
CVE-2023-29325 likely deserves a position as a priority one item for you and your teams to address this month. This zero-day is not under active exploitation as of publishing this blog, but the delivery vector is trivial to take advantage of for threat actors once a proof of concept is released. According to Microsoft, “In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine.” While there are prior actions required to leverage this exploit, attacks that chain vulnerabilities together are not uncommon and there is a high likelihood this will become part of widespread attack campaigns.
CVE-2023-24932 is a Secure Boot Security Feature Bypass vulnerability affecting Windows Server 2008 and newer OS builds, so almost every Windows system currently in production. Worth noting is that the fix released by Microsoft updates the Windows Boot Manager, but does not mitigate against the vulnerability by default. If you want to take advantage of this fix you’ll need to make sure you follow Microsoft’s guidance. You will also need to take into consideration that this vulnerability is leveraged by the BlackLotus UEFI bootkit in the wild.
CVE-2023-29336 is also a major concern this month. This zero-day Win32k Elevation of Privilege vulnerability is under active exploitation, but Microsoft has not released any information on how the vulnerability is exploited.
Microsoft 365 and Click to Run
As a reminder and review from last month, modern Microsoft 365 apps leverage a different update mechanism than older versions of Microsoft Office. Make sure you review your patching tools and processes to ensure M365 Apps have a defined update process in place. We have an automation item available in the Automation Cookbook for N‑sight and N‑central partners which allows them to check and update Microsoft 365 versions that leverage Microsoft’s Click to Run executable that is included in all installs of Microsoft 365 apps.
- Download Microsoft 365 Update with Version Check for N‑sight
- Download Microsoft 365 Update with Version Check for N‑central
Microsoft Patch Tuesday Vulnerability Prioritization
As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely, and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.
Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available
CVE Number |
CVE Title |
Severity |
Status |
Win32k Elevation of Privilege Vulnerability |
I |
ED |
|
Secure Boot Security Feature Bypass Vulnerability |
I |
ED |
|
WinVerifyTrust Signature Validation Vulnerability |
R |
ED |
|
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability |
C |
ELL |
|
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
C |
ELL |
|
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability |
C |
ELL |
|
Windows OLE Remote Code Execution Vulnerability |
C |
EML |
|
Windows MSHTML Platform Security Feature Bypass Vulnerability |
I |
EML |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
C |
EML |
|
Microsoft SharePoint Server Information Disclosure Vulnerability |
I |
EML |
|
Microsoft SharePoint Server Spoofing Vulnerability |
I |
EML |
|
Windows Kernel Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Network File System Remote Code Execution Vulnerability |
C |
EML |
|
Win32k Elevation of Privilege Vulnerability |
I |
EML |
|
Microsoft Excel Spoofing Vulnerability |
I |
EML |
|
Windows OLE Remote Code Execution Vulnerability |
C |
EML |
|
Windows MSHTML Platform Security Feature Bypass Vulnerability |
I |
EML |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
C |
EML |
|
Microsoft SharePoint Server Information Disclosure Vulnerability |
I |
EML |
|
Microsoft SharePoint Server Spoofing Vulnerability |
I |
EML |
|
Windows Kernel Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Network File System Remote Code Execution Vulnerability |
C |
EML |
|
Win32k Elevation of Privilege Vulnerability |
I |
EML |
|
Microsoft Excel Spoofing Vulnerability |
I |
EML |
Summary
As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.
Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.
Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.
N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.