While May Patch Tuesday was relatively small, one Windows zero-day will burden admins for months to come.
Microsoft resolved 38 unique new vulnerabilities, with six rated critical, and updated 13 previously published security updates for 51 total CVEs addressed on May Patch Tuesday. The company addressed two new Windows zero-days -- with one also publicly disclosed -- and another public disclosure for a Windows Object Linking and Embedding (OLE) flaw. Eleven of the older security updates were re-released for information changes.
Windows zero-day Secure Boot bug will require extra effort to resolve
While administrators will have most of their Patch Tuesday work done after they deploy the Windows security updates, one vulnerability will demand extensive manual work to protect systems from bootkit malware.
CVE-2023-24932 is a Secure Boot security feature bypass vulnerability. The flaw, which affects Windows Server and desktop systems, is being actively exploited and has been publicly disclosed. The attacker needs physical access or administrative rights to the system to exploit the vulnerability with the BlackLotus bootkit and run self-signed code at the Unified Extensible Firmware Interface (UEFI) level.
By running before the operating system, UEFI bootkits are particularly dangerous with their ability to bypass or turn off multiple Windows protections, such as BitLocker and Microsoft Defender Antivirus.
Applying the patch is only the first step. Next, administrators must get updated bootable media from Microsoft or their device manufacturer and run through the process to update the boot managers. Only after following those steps can customers enable the protections in the security update.
"If you are using any type of bootable media to provision new systems, that needs to be updated. Otherwise you could end up with a version that could inject bad things as you're installing a new OS," said Chris Goettl, Ivanti vice president of security product management.
This is the first of three phases to resolve the issue. On July Patch Tuesday, Microsoft plans to release more update options to reduce the complexity of the deployment process. In the last stage, due sometime in the first quarter of 2024, Microsoft intends to turn on the fix for CVE-2023-24932 by default and turn on the boot manager revocations on Windows systems.
"When updates like this come out, there's so many additional steps that have to be taken into account. It's painful," Goettl said. "With that amount of work, if you're one person trying to do all these things, then you can get bogged down for a very long time."
The other zero-day for May Patch Tuesday is a Win32k elevation-of-privilege vulnerability (CVE-2023-29336) rated important. This flaw affects Windows 10 systems and Windows Server 2008 through 2016 systems. A successful exploit would give an attacker system privileges to gain full control. Correcting this bug is less of a challenge; applying the cumulative update for this month will resolve this vulnerability.
Windows OLE flaw exposes Microsoft Outlook to potential threats
A critical Windows OLE remote-code execution vulnerability (CVE-2023-29325) was publicly disclosed. Microsoft reported the availability of proof-of-concept code but did not detect any active exploits before releasing the security update for this flaw. Attackers can exploit this vulnerability, which affects Windows Server and desktop systems, over the network without user interaction.
Windows OLE refers to the integration feature in the Windows OS that displays a preview of an object, such as a spreadsheet or an image, without the need to run a separate application.
The Microsoft Outlook Preview Pane is an attack vector. If the recipient of a specially crafted email views the contents in the Preview Pane, then the threat actor could run remote code on that user's machine.
"If you were really worried about this and not planning to push the OS update for a while, then you can change the Outlook settings to view email in plain text until you get the update in place," Goettl said.
Rich-text format documents are also susceptible to this flaw.
Other security updates of note for May Patch Tuesday
One critical vulnerability this month that falls outside of the Windows product family is CVE-2023-24955, a SharePoint Server remote-code execution vulnerability with a CVSS base score of 7.2. Microsoft rates the attack complexity as low, and the exploit does not require user interaction.
"In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server," Microsoft wrote in its notes on the CVE.
The vulnerability affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019 and Microsoft SharePoint Server Subscription Edition.
A Windows Network File System (NFS) remote-code execution vulnerability (CVE-2023-24941) is rated critical with a base CVSS score of 9.8. An attacker does not require authentication or user interaction to exploit this flaw over the network with a specially crafted call to the NFS service on Windows Server systems to run code remotely.
Organizations that cannot patch immediately can mitigate affected machines by disabling NFS version 4.1. However, Microsoft warns that this could adversely affect their environments and should only be performed on systems that have applied the May 2022 Windows security updates.