Security News > 2023 > May > Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)
For May 2023 Patch Tuesday, Microsoft has delivered fixes for 38 CVE-numbered vulnerabilities, including a patch for a Windows bug and a Secure Boot bypass flaw exploited by attackers in the wild.
"Historically, we've seen three separate examples where Win32k EoP vulnerabilities were exploited as zero days. In January 2022, Microsoft patched CVE-2022-21882, which was exploited in the wild and is reportedly a patch bypass for CVE-2021-1732, which was patched in February 2021 and also exploited in the wild. In October 2021, Microsoft patched another Win32k EoP, identified as CVE-2021-40449, which was linked to a remote access trojan known as MysterySnail, which was a patch bypass for CVE-2016-3309. However, it is unclear if this flaw is a patch bypass."
"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism," Microsoft shared.
"This is one of the publicly known bugs patched this month and has been widely discussed on Twitter. Although Microsoft offers some workarounds, it's a better idea to test and deploy this update quickly."
Admins in charge of Microsoft SharePoint servers should plug CVE-2023-24955, a RCE flaw exploited by the STAR Labs team during Pwn2Own Vancouver, he added.
"With low attack complexity and no privileges or user interaction required, we recommend patching within 72 hours on Windows Server 2012, 2016, 2019, and 2022. If you are unable to patch, an option is applying a temporary fix from Microsoft - they also note that this fix should only be applied if you have already applied security updates from May 2022," advised Automox's Peter Pflaster.
News URL
https://www.helpnetsecurity.com/2023/05/09/cve-2023-29336-cve-2023-24932/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-05-09 | CVE-2023-24955 | Code Injection vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server Microsoft SharePoint Server Remote Code Execution Vulnerability | 7.2 |
2022-01-11 | CVE-2022-21882 | Out-of-bounds Write vulnerability in Microsoft products Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40449 | Use After Free vulnerability in Microsoft products Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-02-25 | CVE-2021-1732 | Out-of-bounds Write vulnerability in Microsoft products Windows Win32k Elevation of Privilege Vulnerability | 7.8 |
2016-08-09 | CVE-2016-3309 | Unspecified vulnerability in Microsoft products The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311. | 7.8 |