Microsoft fixes three zero-days in May 2023 Patch Tuesday
A Secure Boot bypass flaw was actively exploited by a threat actor to install the BlackLotus UEFI bootkit
As part of its regular Patch Tuesday updates, Microsoft has released its May 2023 security package, addressing a total of 38 security vulnerabilities across its various products.
The company has fixed zero-day vulnerabilities, with two of them actively exploited in attacks, while the third was publicly disclosed.
Microsoft categorises a security flaw as a zero-day if it is actively exploited or publicly disclosed, and there is no official fix available for it.
Of the 38 vulnerabilities addressed this month, six are rated as "Critical" while the remaining 32 as "Important" in severity. Eight have been marked with an "Exploitation More Likely" assessment by Microsoft.
Additionally, Microsoft has also addressed 11 flaws in its Chromium-based Edge browser since the beginning of May.
Actively exploited
At present, there are two vulnerabilities that are being actively exploited. One of them is CVE-2023-24932, a Secure Boot bypass flaw that has been used by a threat actor to install the BlackLotus UEFI bootkit.
The Secure Boot feature is designed to prevent devices from running malicious or unauthorised software before the operating system, such as Windows, starts.
However, the BlackLotus bootkit is able to bypass this security measure by exploiting weaknesses in the boot process. This allows the bootkit to load before anything else, including the operating system and any security tools that could potentially prevent it from running.
Once installed, the BlackLotus bootkit can disable antivirus defenses and install a kernel driver that can receive commands from a control server.
"To exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy," states Microsoft's advisory.
According to Microsoft, CVE-2023-24932 is a bypass for the previously fixed CVE-2022-21894 vulnerability.
Adam Barnett, lead software engineer at Rapid7, advised administrators to take additional measures beyond simply applying the patches to mitigate the impact of the vulnerability.
"The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. The attack surface is not limited to physical assets, either; Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection," Barnett added.
Second zero-day
Microsoft has also addressed a privilege escalation vulnerability (CVE-2023-29336) in the Win32k Kernel driver, which enables attackers to elevate their privileges to SYSTEM, the highest user privilege level in Windows.
Although Microsoft has confirmed that this vulnerability is being actively exploited, there is currently no information available regarding how it has been abused by threat actors.
"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," reads Microsoft's advisory.
Microsoft has credited Jan Vojtešek, Milánek, and Luigino Camastra from Avast for the discovery of CVE-2023-29336.
Kev Breen, Director of Cyber Threat Research at Immersive Labs, emphasised the urgency of patching CVE-2023-29336.
"As a vulnerability that is actively exploited in the wild, this one should be at the top of organizations' list to patch," Breen said.
"Microsoft has provided few other details about how an attacker can exploit it. While the vulnerability's CVE score is relatively low at 7.8, when compared to other remote code execution vulnerabilities, it's clear it should be patched quickly."
Third zero-day
Microsoft has also resolved a publicly disclosed zero-day vulnerability (CVE-2023-29325) in Microsoft Outlook software. It is an OLE flaw that can be exploited through the use of specially crafted emails.
"Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim's Outlook application displaying a preview of a specially crafted email," according to Microsoft.
"This could result in the attacker executing remote code on the victim's machine."
In order to successfully exploit CVE-2023-29325, an attacker must first win a "race" condition and take additional actions.
Breen warned that CVE-2023-29325, if successfully weaponised, could be highly sought after by e-crime and ransomware groups. These threat actors could potentially use the vulnerability to target numerous organisations with very little effort, making it a significant concern for cybersecurity professionals.
Microsoft has also addressed other vulnerabilities with notably high CVSS scores in its May 2023 Patch Tuesday update.
One such vulnerability is CVE-2023-24941, which affects the Windows Network File System and can be exploited over the network via an unauthenticated, specially crafted request. This vulnerability has a CVSS score of 9.8, the highest of all the flaws addressed this month.