Security News > 2023 > May > Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)

For May 2023 Patch Tuesday, Microsoft has delivered fixes for 38 CVE-numbered vulnerabilities, including a patch for a Windows bug and a Secure Boot bypass flaw exploited by attackers in the wild.

"Historically, we've seen three separate examples where Win32k EoP vulnerabilities were exploited as zero days. In January 2022, Microsoft patched CVE-2022-21882, which was exploited in the wild and is reportedly a patch bypass for CVE-2021-1732, which was patched in February 2021 and also exploited in the wild. In October 2021, Microsoft patched another Win32k EoP, identified as CVE-2021-40449, which was linked to a remote access trojan known as MysterySnail, which was a patch bypass for CVE-2016-3309. However, it is unclear if this flaw is a patch bypass."

"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism," Microsoft shared.

"This is one of the publicly known bugs patched this month and has been widely discussed on Twitter. Although Microsoft offers some workarounds, it's a better idea to test and deploy this update quickly."

Admins in charge of Microsoft SharePoint servers should plug CVE-2023-24955, a RCE flaw exploited by the STAR Labs team during Pwn2Own Vancouver, he added.

"With low attack complexity and no privileges or user interaction required, we recommend patching within 72 hours on Windows Server 2012, 2016, 2019, and 2022. If you are unable to patch, an option is applying a temporary fix from Microsoft - they also note that this fix should only be applied if you have already applied security updates from May 2022," advised Automox's Peter Pflaster.

News URL

https://www.helpnetsecurity.com/2023/05/09/cve-2023-29336-cve-2023-24932/