Although May Patch Tuesday she be but little, she is fierce: Microsoft has pushed out a modest 38 new security fixes for its monthly fix cycle , but don’t get caught napping: They include fixes for a pre-authentication remote code execution (RCE) vulnerability in Outlook, CVE-2023-29325, that requires no user interaction, no privileges and for which the preview pane is a threat vector, and a Win32k Elevation of Privilege (EOP) vulnerability, CVE-2023-29336, which gives SYSTEM and which has been reported by AVAST as exploited in the wild.
Also under active exploitation is CVE-2023-24932, which allows attackers to bypass the Secure Boot protections and which Microsoft said is being used by the BlackLotus bootkit. BlackLotus can run on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled, and, per earlier research by ESET, gives “full control over the operating system boot process and thus being capable of disabling various operating system security mechanisms and deploying their own kernel-mode or user-mode payloads in early boot stages…” 😬
The bug “allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism,” Microsoft said. “Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device” – ESET’s Martin Smolar and SentinelOne’sTomer Sne-or were credited.
Mitigation is preventative not corrective and Redmond warns that “because of the security changes required for CVE-2023-24932…revocations must be applied to supported Windows devices. After these revocations are applied, the devices will intentionally become unable to start by using recovery or installation media, unless this media has been updated with the security updates released on or after May 9, 2023. This includes both bootable media, such as discs, external drives, network boot recovery, and restore images.” Double 😬 😬. Guidance here.
Another to watch includes CVE-2023-24941, a Windows Network File System RCE bug with a CVSS of 9.8. This, as the ZDI notes, "allows a remote, unauthenticated attacker to run arbitrary code on an affected system with elevated privileges. No user interaction is required. Another interesting thing about this vulnerability is that exists in NFS version 4.1 but not versions NFSv2.0 or NFSv3.0. You can mitigate this bug by downgrading to a previous version, but Microsoft warns that you should not use this mitigation unless you have the CVE-2022-26937 patch from May 2022 installed. The better idea is to test and deploy this month’s fix instead..."
As ever, prompt patching is recommended where humanly possible: threat groups including cybercriminals are increasingly swift at reverse engineering security patches and weaponising newly understood vulnerabilities.