Patch Tuesday May 2023: Vulnerability Count Dips but UEFI Bootkits Deserve Your Attention

With only 38 new vulnerabilities being addressed this month, is this a calm before the storm? From my previous experience, dips in the number of addressed vulnerabilities on any given Microsoft Patch Tuesday are often followed by a sharp increase over the following months. While you shouldn’t plan IT strategies around anecdotes or aching joints, there is some wisdom to be gained from reading the winds. Since we have so few Microsoft updates for this month, take the opportunity to get ahead while you can and brace for a larger number of vulnerabilities and the possible need for manual mitigations to be applied after the next Patch Tuesday.

Microsoft Vulnerabilities

Microsoft has released fixes or updates for a total of 52 different vulnerabilities. Some of these are simply republishing older fixes, like CVE-2013-3900, or updates to existing vulnerabilities like CVE-2023-23398. Of the 38 new vulnerabilities three are zero-days that are either under active exploitation or are designated as exploitation more likely.

CVE-2023-29325 likely deserves a position as a priority one item for you and your teams to address this month. This zero-day is not under active exploitation as of publishing this blog, but the delivery vector is trivial to take advantage of for threat actors once a proof of concept is released. According to Microsoft, “In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine.” While there are prior actions required to leverage this exploit, attacks that chain vulnerabilities together are not uncommon and there is a high likelihood this will become part of widespread attack campaigns.

CVE-2023-24932 is a Secure Boot Security Feature Bypass vulnerability affecting Windows Server 2008 and newer OS builds, so almost every Windows system currently in production. Worth noting is that the fix released by Microsoft updates the Windows Boot Manager, but does not mitigate against the vulnerability by default. If you want to take advantage of this fix you’ll need to make sure you follow Microsoft’s guidance. You will also need to take into consideration that this vulnerability is leveraged by the BlackLotus UEFI bootkit in the wild.

CVE-2023-29336 is also a major concern this month. This zero-day Win32k Elevation of Privilege vulnerability is under active exploitation, but Microsoft has not released any information on how the vulnerability is exploited.

Related Product

N‑sight RMM

Comece a operar rapidamente, contando com o RMM, projetado para MSPs e departamentos de TI de pequeno porte.

Find out more

Microsoft 365 and Click to Run

As a reminder and review from last month, modern Microsoft 365 apps leverage a different update mechanism than older versions of Microsoft Office. Make sure you review your patching tools and processes to ensure M365 Apps have a defined update process in place. We have an automation item available in the Automation Cookbook for N‑sight and N‑central partners which allows them to check and update Microsoft 365 versions that leverage Microsoft’s Click to Run executable that is included in all installs of Microsoft 365 apps.

• Download Microsoft 365 Update with Version Check for N‑sight
• Download Microsoft 365 Update with Version Check for N‑central

Microsoft Patch Tuesday Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely, and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available  

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Find out more

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd