The Microsoft May 2023 Security Updates includes patches and advisories for 49 vulnerabilities, including 6 Critical severity issues and two zero-days exploited in the wild.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
Microsoft Products Affected
This month’s Microsoft security updates cover multiple impacted products and families, including, but not limited to (listing those with vulnerability CVSS scores greater than 7):
- Microsoft Bluetooth Driver
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft Windows Codecs Library
- Reliable Multicast Transport Driver (RMCAST)
- Remote Desktop Client
- Windows Backup Engine
- Windows Installer
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows MSHTML Platform
- Windows Network File System
- Windows NFS Portmapper
- Windows OLE
- Windows Remote Procedure Call Runtime
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows SMB
- Windows Win32K
Readers can check out the May 2023 Release Notes and also download more vulnerability and patch details via Microsoft’s Security Update Guide.
Zero day CVEs
Microsoft patched two zero days exploited in the wild:
- CVE-2023-29336: Win32k Elevation of Privilege Vulnerability (CVSS 7.8)
- CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability (CVSS 6.7).
Regarding CVE-2023-29336 that affects Win32k, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CISA has added this vulnerability its Known Exploited Vulnerabilities Catalog also on May 9, 2023.
For CVE-2023-24932 that affects Secure Boot, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy. As a consequence, a bad actor could bypass Secure Boot by exploiting this vulnerability.
Microsoft confirmed “Exploitation Detected” in each of the advisories and has rated each vulnerability as Important.
In addition, Microsoft patched the following six (6) Critical Remote Code Execution (RCE) vulnerabilities (along with CVSS score) on May 9, 2023:
- CVE-2023-24903: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability (CVSS 9.8)*
- CVE-2023-24943: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (CVSS 9.8)
- CVE-2023-24955: Microsoft SharePoint Server Remote Code Execution Vulnerability (CVSS 7.2)*
- CVE-2023-28283: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2023-29325: Windows OLE Remote Code Execution Vulnerability (CVSS 8.1)*
*Of special note: three of the Critical CVEs (CVE-2023-24941, CVE-2023-24955, CVE-2023-29325) are “More Likely” of being exploited, Microsoft warned.
Regarding the most severe of the Critical issues (CVE-2023-24941), Microsoft warned the vulnerability “could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).”
Moreover, Microsoft addressed multiple other vulnerabilities in multiple products on May 5 and May 9, 2023.
The patched issues rated Important or Moderate in severity include Denial of Service (5), Elevation of Privilege (8), Information Disclosure (8), Remote Code Execution (6), Security Feature Bypass (5), and Spoofing (2) vulnerabilities.
The monthly update also covers one multiple Microsoft Edge (Chromium-based) published between April 15 and May 5, 2023.
- Microsoft April 2023 Security Updates Fixes 97 Vulnerabilities (7 Critical, 1 zero-day)
- Apple patches 2 zero-day vulnerabilities in iOS 16.4.1 and macOS Ventura 13.3.1
- CISA Adds Veritas, Windows and Arm Mali GPU Vulnerabilities To Known Exploited Vulnerabilities Catalog
- Microsoft March 2023 Security Updates Fixes 101 Vulnerabilities (9 Critical, 2 zero-days)
- Threat actors abuse Windows debugger tool to disguise PlugX trojan attacks