With only 38 vulnerabilities addressed, May’s Patch Tuesday is the quietest that has been seen for a while. This month's batch of Microsoft security updates includes fixes for 6 critical, 3 publicly disclosed, and 3 vulnerabilities that have been actively exploited in the wild.
This critical vulnerability exists within the Windows Network File System. While not publicly disclosed or exploited in the wild, this vulnerability would allow an attacker to send a specially crafted unauthenticated call to the Network File System, which could lead to the execution of arbitrary code. Mitigations and recommendations for this vulnerability can be found here.
This critical vulnerability in Microsoft SharePoint Server could allow a remote authenticated attacker to execute code. This flaw has not yet been exploited in the wild; we advise applying the latest updates as soon as possible.
An attacker who has physical access or Administrative rights to a target device could install an affected boot policy allowing them to bypass secure boot. This important vulnerability is publicly disclosed and has been reported to be exploited in the wild. Microsoft states “The security update addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default. Additional steps are required at this time to mitigate the vulnerability.” More information can be found here.
Window Object Linking and Embedding received a critical vulnerability patch after it was publicly disclosed through a coordinated vulnerability disclosure. “requires an attacker to win a race condition and also to take additional actions prior to exploitation to prepare the target environment” reported Microsoft. The most serious of cases would be a successful exploitation through Microsoft Outlook where a specially crafted email could result in the remote execution of code.
An important vulnerability in the Win32k Driver would allow an attacker to elevate their privileges to SYSTEM, the highest available on a Windows machine. This vulnerability is known to be exploited in the wild but isn’t publicly disclosed restricting the information available about this vulnerability.
Microsoft has republished CVE-2013-3900 to inform consumers that EnableCertPaddingCheck is available in all supported versions of Windows 10 and 11. “A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights” Microsoft states. More information about this vulnerability can be found here.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-May
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.