Microsoft Patches 3 Zero Day Flaws in May Security Update
|• Microsoft's May Patch Tuesday includes 38 bulletins and three critical zero-day fixes. The first is CVE-2023-29325, a remote code execution flaw in Windows Object Linking and Embedding (OLE), which can be exploited through specially crafted emails in Microsoft Outlook.
• The second zero-day flaw, CVE-2023-24932, deals with a feature bypass issue in Windows' Secure Boot Security.
• The third zero-day vulnerability, CVE-2023-29336, is an elevation of privilege vulnerability in the Win32k Kernel Driver. It has been observed in attacks without public disclosure, indicating an ongoing threat.
Microsoft's monthly security update arrived on Tuesday with a lighter-than-usual 38 bulletins to address flaws across the company's line of supported products and services.
While the number is low, Microsoft's May Patch Tuesday comes packed with three zero-day flaws that should be applied (for those who do not have Windows Autopatch enabled) as soon as possible.
The most severe of the three is bulletin CVE-2023-29325, a remote code execution flaw fix in Windows Object Linking and Embedding (OLE). Attackers who successfully navigate the flaw can execute malicious code if a specially crafted email is opened in some versions of Microsoft Outlook -- and only minimal user interaction would be necessary for exploitation, according to Yoav Iellin, senior researcher at security firm Silverfort.
While successful attacks have not yet been seen taking advantage of the vulnerability, the flaw has been publicly disclosed, so attacks in the near future are likely, said Iellin. "At this stage, we believe Outlook users will be the main attack vector, although it has the potential to be used in other Office programs as well."
Iellin suggests that IT deploys this patch with haste and, for those who cannot deploy right away, follow Microsoft's workaround, which involves setting Microsoft Office to read emails in plain text only.
The second zero is also a publicly disclosed (but yet not exploited) flaw dealing with a feature bypass issue in Windows' Secure Boot Security. CVE-2023-24932 helps address a potential threat from outside actors who have physical access to a device from setting their own boot policy on a system.
According to Microsoft, this update will need a couple of additional steps. "The security update addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default," read the bulletin. To do this, Microsoft recommends the following steps, which includes applying specific revocations files to fully inoculate a system.
The final zero day breaks the mold by not being publicly disclosed, however attacks have been seen in the wild. CVE-2023-29336 rectifies an elevation of privilege vulnerability in the Win32k Kernel Driver.
While little is known about this flaw, some details can be inferred by those who discovered it, according to Dustin Childs, security expert and author of the Zero Day Initiative blog. "This type of privilege escalation is usually combined with a code execution bug to spread malware. Considering this was reported by an AV company, that seems the likely scenario here. As always, Microsoft offers no information about how widespread these attacks may be."
If looking to prioritize patching, it is recommended that IT continue on to the remaining six bulletins categorized as "critical." They include:
- CVE-2023-24903: Remote code execution vulnerability in Windows Secure Socket Tunneling Protocol (SSTP).
- CVE-2023-24943: Remote code execution vulnerability in Windows Pragmatic General Multicast (PGM).
- CVE-2023-24941: Remote code execution vulnerability in Windows Network File System.
- CVE-2023-24955: Security feature bypass vulnerability in Microsoft SharePoint Server.
- CVE-2023-29324: Security feature bypass vulnerability in the Windows MSHTML Platform.
- CVE-2023-28283: Remote code execution vulnerability in Windows Lightweight Directory Access Protocol (LDAP).
The full list of this month's bulletins can be found here.