Microsoft’s May Patch Tuesday Addresses 3 Zero-Days

Microsoft released its May Patch Tuesday update this week, with a total of 38 security fixes, including three zero-day vulnerabilities. The first zero-day vulnerability, tracked as CVE-2021-33742, is a Windows NTFS Elevation of Privilege (EoP) vulnerability. The second, tracked as CVE-2021-31201, is a Windows SMBv3 Elevation of Privilege (EoP) vulnerability. The third and final zero-day, tracked as CVE-2021-31199, is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability. Read on to learn more.

What are the May Microsoft Patch Tuesday Vulnerabilities?

The three zero-day vulnerabilities include two actively exploited in attacks and another publicly disclosed.

The two actively exploited zero-day vulnerabilities addressed in this update are:

• CVE-2023-29336 – An elevation of privilege (EoP) vulnerability in Microsoft’s Win32k, a core kernel-side driver used in Windows. This vulnerability received a CVSSv3 score of 7.8 and was exploited in the wild as a zero-day. Exploiting this vulnerability would allow an attacker to gain SYSTEM-level privileges on an affected host.
• CVE-2023-24932 – A security feature bypass vulnerability in Secure Boot in Windows operating systems, allowing untrusted software to run during the boot-up process. It was publicly disclosed and exploited in the wild as a zero-day before the availability of a patch.

The flaw was given a CVSSv3 score of 6.7. Exploiting this vulnerability requires an attacker to have administrative rights or physical access to the vulnerable device; therefore, Microsoft has rated this as “Exploitation Less Likely” according to its Exploitability Index.

Microsoft also released a security update for one publicly disclosed zero-day vulnerability that was not actively exploited:

• CVE-2023-29325 – A remote code execution (RCE) vulnerability in the Windows Object Linking and Embedding (OLE) mechanism of Windows operating systems that was publicly disclosed and given a CVSSv3 score of 8.1. Windows OLE is a technology that allows the creation of documents containing objects from several applications.

The vulnerability lies in the processing of RTF documents and emails. Microsoft said that the Preview Pane feature in Microsoft Outlook and Office is a vector for exploitation. An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted document to a vulnerable system. However, the vulnerability is considered highly complex to exploit.

The complete list of resolved vulnerabilities in the May 2023 Patch Tuesday updates can be found in the full report.

What is Nuspire doing?

Nuspire applies patches when released in accordance with vendor recommendations.

What should I do?

Organizations should review the Microsoft May 2023 Patch Tuesday security updates, apply patches to affected systems as soon as possible and regularly scan the environment to identify those systems yet to be patched.

• Focus patching activities on the two actively exploited vulnerabilities described above.
• Review individual CVEs from Microsoft to learn about workarounds/mitigations if immediate patching is not possible.
• Review system configurations. This will ensure that best practices are in place to reduce the attack surface.
• Consider deploying additional security measures such as implementing multi-factor authentication and securing privileged accounts.
• Ensure their security monitoring and detection capabilities are enabled and tuned to detect potential malicious activity.