Microsoft May 2023 Security Updates Fixes 49 Vulnerabilities (6 Critical, 2 zero-days)

The Microsoft May 2023 Security Updates includes patches and advisories for 49 vulnerabilities, including 6 Critical severity issues and two zero-days exploited in the wild.

A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.

Microsoft Products Affected

This month’s Microsoft security updates cover multiple impacted products and families, including, but not limited to (listing those with vulnerability CVSS scores greater than 7):

Microsoft Bluetooth Driver
Microsoft Edge (Chromium-based)
Microsoft Graphics Component
Microsoft Office
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Word
Microsoft Windows Codecs Library
Reliable Multicast Transport Driver (RMCAST)
Remote Desktop Client
SysInternals
Windows Backup Engine
Windows Installer
Windows Kernel
Windows LDAP – Lightweight Directory Access Protocol
Windows MSHTML Platform
Windows Network File System
Windows NFS Portmapper
Windows OLE
Windows Remote Procedure Call Runtime
Windows Secure Socket Tunneling Protocol (SSTP)
Windows SMB
Windows Win32K

Readers can check out the May 2023 Release Notes and also download more vulnerability and patch details via Microsoft’s Security Update Guide.

Zero day CVEs

Microsoft patched two zero days exploited in the wild:

CVE-2023-29336: Win32k Elevation of Privilege Vulnerability (CVSS 7.8)
CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability (CVSS 6.7).

Regarding CVE-2023-29336 that affects Win32k, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CISA has added this vulnerability its Known Exploited Vulnerabilities Catalog also on May 9, 2023.

For CVE-2023-24932 that affects Secure Boot, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy. As a consequence, a bad actor could bypass Secure Boot by exploiting this vulnerability.

Microsoft confirmed “Exploitation Detected” in each of the advisories and has rated each vulnerability as Important.

Critical RCEs

In addition, Microsoft patched the following six (6) Critical Remote Code Execution (RCE) vulnerabilities (along with CVSS score) on May 9, 2023:

CVE-2023-24903: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability (CVSS 8.1)
CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability (CVSS 9.8)*
CVE-2023-24943: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (CVSS 9.8)
CVE-2023-24955: Microsoft SharePoint Server Remote Code Execution Vulnerability (CVSS 7.2)*
CVE-2023-28283: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVSS 8.1)
CVE-2023-29325: Windows OLE Remote Code Execution Vulnerability (CVSS 8.1)*

*Of special note: three of the Critical CVEs (CVE-2023-24941, CVE-2023-24955, CVE-2023-29325) are “More Likely” of being exploited, Microsoft warned.

Regarding the most severe of the Critical issues (CVE-2023-24941), Microsoft warned the vulnerability “could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).”

Other CVEs

Moreover, Microsoft addressed multiple other vulnerabilities in multiple products on May 5 and May 9, 2023.

The patched issues rated Important or Moderate in severity include Denial of Service (5), Elevation of Privilege (8), Information Disclosure (8), Remote Code Execution (6), Security Feature Bypass (5), and Spoofing (2) vulnerabilities.

The monthly update also covers one multiple Microsoft Edge (Chromium-based) published between April 15 and May 5, 2023.

Microsoft Products Affected

Zero day CVEs

Critical RCEs

Other CVEs

Related Articles