Microsoft on Tuesday announced patches for 40 newly documented vulnerabilities in its products, including two zero-day flaws.
One of the zero-days, CVE-2023-29336, is described as an elevation of privilege bug in the Win32k driver. Successful exploitation could allow an attacker to gain System privileges.
Microsoft has shared no information on the attacks exploiting this vulnerability, but such issues are typically combined with code execution flaws to spread malware, according to Trend Micro’s Zero Day Initiative (ZDI), which published a summary of the patches.
Reported by Avast, CVE-2023-29336 impacts systems running Windows 10 and Windows Server 2008, 2012, and 2016.
Reported by ESET and SentinelOne researchers, the second zero-day, CVE-2023-24932, is described as a Secure Boot security feature bypass that could allow an attacker with physical access or administrative privileges to execute self-signed code at the UEFI level.
The issue has been exploited by the BlackLotus UEFI bootkit that first emerged in October 2022, and which can disable security applications and other defense mechanisms on vulnerable machines.
Addressing CVE-2023-24932, Microsoft says, requires revoking boot managers, an irreversible action that could cause issues for some boot configurations.
Microsoft’s May 2023 update does not provide a full patch for the vulnerability, but represents the first step in resolving the issue. Automated deployment of the revocation files will be added on July 2023 Patch Tuesday and the revocations will be enforced starting with the first quarter of the next year.
“The May 9, 2023 security update provides configuration options to manually enable protections for the Secure Boot bypass but these protections are not enabled automatically. Before you enable these protections, you must verify your devices and all bootable media are updated and ready for this security hardening change,” the tech giant explains in a knowledge base article.
Some of the critical vulnerabilities patched with Microsoft’s latest updates include remote code execution flaws in Windows Network File System (CVE-2023-24941), Windows Pragmatic General Multicast (CVE-2023-24943), and Windows OLE (CVE-2023-29325).
The tech giant also resolved CVE-2023-24955, a remote code execution flaw in SharePoint Server that was disclosed by the Star Labs team at the Pwn2Own Vancouver 2023 exploit contest.
Microsoft’s May 2023 Patch Tuesday updates address other elevation of privilege and remote code execution bugs, along with information disclosure, denial-of-service, and security feature bypass flaws.
In addition to the 40 Microsoft-specific vulnerabilities, the release notes mention nine Chrome security defects that the tech giant is now addressing in the Chromium-based Edge browser.