Security News > 2023 > May > Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)

Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)
2023-05-09 18:58

For May 2023 Patch Tuesday, Microsoft has delivered fixes for 38 CVE-numbered vulnerabilities, including a patch for a Windows bug and a Secure Boot bypass flaw exploited by attackers in the wild.

"Historically, we've seen three separate examples where Win32k EoP vulnerabilities were exploited as zero days. In January 2022, Microsoft patched CVE-2022-21882, which was exploited in the wild and is reportedly a patch bypass for CVE-2021-1732, which was patched in February 2021 and also exploited in the wild. In October 2021, Microsoft patched another Win32k EoP, identified as CVE-2021-40449, which was linked to a remote access trojan known as MysterySnail, which was a patch bypass for CVE-2016-3309. However, it is unclear if this flaw is a patch bypass."

"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism," Microsoft shared.

"This is one of the publicly known bugs patched this month and has been widely discussed on Twitter. Although Microsoft offers some workarounds, it's a better idea to test and deploy this update quickly."

Admins in charge of Microsoft SharePoint servers should plug CVE-2023-24955, a RCE flaw exploited by the STAR Labs team during Pwn2Own Vancouver, he added.

"With low attack complexity and no privileges or user interaction required, we recommend patching within 72 hours on Windows Server 2012, 2016, 2019, and 2022. If you are unable to patch, an option is applying a temporary fix from Microsoft - they also note that this fix should only be applied if you have already applied security updates from May 2022," advised Automox's Peter Pflaster.


News URL

https://www.helpnetsecurity.com/2023/05/09/cve-2023-29336-cve-2023-24932/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-05-09 CVE-2023-24955 Code Injection vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server
Microsoft SharePoint Server Remote Code Execution Vulnerability
network
low complexity
microsoft CWE-94
7.2
2022-01-11 CVE-2022-21882 Out-of-bounds Write vulnerability in Microsoft products
Win32k Elevation of Privilege Vulnerability
local
low complexity
microsoft CWE-787
7.8
2021-10-13 CVE-2021-40449 Use After Free vulnerability in Microsoft products
Win32k Elevation of Privilege Vulnerability
local
low complexity
microsoft CWE-416
7.8
2021-02-25 CVE-2021-1732 Out-of-bounds Write vulnerability in Microsoft products
Windows Win32k Elevation of Privilege Vulnerability
local
low complexity
microsoft CWE-787
7.8
2016-08-09 CVE-2016-3309 Unspecified vulnerability in Microsoft products
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.
local
low complexity
microsoft
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 701 775 4527 4650 3617 13569