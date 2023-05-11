Microsoft has released updates Patch Tuesday as of May 2023 to address 38 security vulnerabilities, including a zero-day bug that the company says is being actively exploited.

Trend Micro’s Zero Day Initiative (ZDI) said the number of vulnerabilities was the lowest since August 2021, even though it pointed out That “this number is expected to increase in the coming months“, to remember the significant update that took place again in January of this year.

What did Microsoft fix with Patch Tuesday?

Of the 38 vulnerabilities, six are classified as critical and 32 as important in terms of severity. Eight of the vulnerabilities have been marked by Microsoft with a “Most Likely Exploitation” rating.

This adds up at 18 vulnerabilityincluding 11 bugs fixed by the Windows maker in its Chromium-based Edge browser following April’s Patch Tuesday updates.

At the top of the list is the CVE-2023-29336 (CVSS Score: 7.8), a privilege escalation vulnerability in Win32k that is being actively exploited. It’s not immediately clear how widespread the attacks are.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privilegesMicrosoft said, crediting Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra for reporting the vulnerability.

This prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability to its catalog of known exploited vulnerabilities (KEV), urging organizations to apply manufacturer fixes by May 30, 2023.

Also of note are two publicly known vulnerabilities, one of which is a critical remote code execution vulnerability affecting Windows OLE (CVE-2023-29325CVSS score: 8.1) which could be exploited by an actor by sending a specially crafted email to the victim.

Microsoft, as a security measure, is recommending users to read email messages in plain text format to protect themselves from this vulnerability.

Another publicly known vulnerability is CVE-2023-24932 (CVSS Score: 6.7), a bypass of the Secure Boot security feature that is exploited by the BlackLotus UEFI bootkit to exploit CVE-2022-21894 (aka Baton Drop), fixed January 2022.

“This vulnerability allows an attacker to execute user-authenticated code at the Unified Extensible Firmware Interface (UEFI) layer while Secure Boot is enabled“, has said Microsoft in a separate guide.

Adding: “It is primarily used by cybercriminals as a defense evasion and persistence mechanism. Successful attack depends on whether the attacker has physical access or local administrator privileges on the targeted device.”

It is important to note that the fix provided by Microsoft is disabled by default and requires customers to manually apply revocations, but only after updating all bootable media.

“Once the mitigation for this issue is enabled on a device, meaning revocations have been applied, there is no going back if you continue to use Secure Boot on that device“, has warned Microsoft. “Even reformatting the disk will not remove the revocations if they have already been applied“.

The tech giant said it was taking a phased approach to completely shut down the attack vector to avoid risks of unintentional disruption, an exercise it expects to extend into the first quarter of 2024.

“Modern UEFI-based Secure Boot procedures are extremely complex to configure correctly or to significantly reduce their attack surfaces“, has said firmware security firm Binarly last March. “That said, bootloader attacks aren’t going away anytime soon“.

Not just Microsoft

In addition to the historic IT company, others have also adapted to the change, here are the ones: