Microsoft has released its Patch Tuesday updates for May 2023, which include fixes for 38 security vulnerabilities, including one zero-day flaw currently being actively exploited.
The Zero Day Initiative (ZDI) from Trend Micro reports that this is the lowest number of security fixes released since August 2021, but warns that this number is likely to increase in the coming months.
Of the 38 vulnerabilities addressed, six are considered critical and 32 are classified as important. Microsoft has labeled eight of these as “Exploitation More Likely” risks. This is in addition to 18 other vulnerabilities, including 11 bugs discovered since the April Patch Tuesday updates, which have been resolved in the Chromium-based Edge browser.
The top priority for the company is CVE-2023-29336, a privilege escalation flaw in Win32k that is actively being exploited. This flaw allows an attacker to gain SYSTEM privileges. Microsoft advises organizations to apply vendor fixes by May 30, 2023, and the US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog.
Two other critical vulnerabilities, CVE-2023-29325 and CVE-2023-24932, have also been publicly disclosed. Microsoft is urging users to read email messages in plain text format to protect against CVE-2023-29325, while CVE-2023-24932 is a Secure Boot security feature bypass used primarily as a persistence and defense evasion mechanism.
The revocations for the latter vulnerability are disabled by default and require manual application by customers, but they cannot be reverted if Secure Boot is still in use on the device. Other vendors, including Adobe, AMD, Apple, Cisco, and Mozilla Firefox, have also released security updates in the past few weeks.