Two Microsoft Windows bugs under attack, one in Secure Boot with a manual fix
On the plus side, this month's update batch is a bit smaller than usual
Patch Tuesday May's Patch Tuesday brings some good and some bad news, and if you're a glass-half-full type, you'd lead off with Microsoft's relatively low number of security fixes: a mere 38.
Your humble vulture, however, is a glass-half-empty-and-who-the-hell-drank-my-whiskey kind of bird, so instead of looking on the bright side, we're looking at the two Microsoft bugs that have already been found and exploited by miscreants. Plus a third vulnerability, which has been publicly disclosed. We'd suggest patching these three stat.
Six of the 38 vulnerabilities are deemed "critical" because they allow remote code execution.
The two that are under active exploit, at least according to Microsoft, are CVE-2023-29336, a Win32k elevation of privilege vulnerability; and CVE-2023-24932, a Secure Boot security feature bypass vulnerability, which was exploited by the BlackLotus bootkit to infect Windows machines. Interestingly enough, BlackLotus abused CVE-2023-24932 to defeat a patch Microsoft issued last year that closed another bypass vulnerability in Secure Boot. Thus Redmond fixed a hole in Secure Boot, and this malware abused a second bug, CVE-2023-24932, to get around that.
CVE-2023-29336 is a 7.8-out-of-10 rated flaw in the Win32k kernel-mode driver that can be exploited to gain system privileges on Windows PCs.
"This type of privilege escalation is usually combined with a code execution bug to spread malware," Zero Dan Initiative's Dustin Childs said. "Considering this was reported by an AV company, that seems the likely scenario here."
Redmond credited Avast bug hunters Jan Vojtešek, Milánek, and Luigino Camastra with finding and disclosing the bug.
Time to boot out a threat
Meanwhile, CVE-2023-24932 received its own separate Microsoft Security Response Center (MSRC) advisory and configuration guidance, which Redmond says is necessary to "fully protect against this vulnerability."
"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled," MSRC warned. "This is used by threat actors primarily as a persistence and defense evasion mechanism."
If also noted, however, that to successfully exploit this flaw, an attacker must have physical access or local admin privileges on the targeted device.
Redmond says ESET's Martin Smolár and SentinelOne's Tomer Sne-or disclosed the bug, and Smolár initially sounded the alarm on BlackLotus malware bypassing Secure Boot back in March. Prior to that, Kaspersky's lead security researcher Sergey Lozhkin first saw BlackLotus being sold on cybercrime marketplaces back in October 2022.
This is significant because BlackLotus, a UEFI bootkit that's sold on hacking forums for about $5,000, is a rare malware strain in that it runs on Windows systems even with the Secure Boot firmware security feature enabled. That functionality should instead block BlackLotus.
Secure Boot is supposed to prevent devices from running unauthorized or malicious software before the operating system, such as Windows, executes. By targeting weaknesses in this boot process, BlackLotus loads before anything else, including the operating system and any security tools that could stop it. The malware can disable antivirus defenses, and installs a kernel driver that receives commands from a control server to carry out, effectively placing a remote-control backdoor in the machine.
While Microsoft released a fix, of sorts, for the Windows boot manager in today's patchapalooza to thwart the bootkit, the CVE-2023-24932 update is disabled by default and requires customers to manually update bootable media to fully implement the protections. As security analyst Will Dorman quipped: "Feel free to cry a bit and/or consider a career change."
In July, Microsoft will issue a second release to simplify deployment of the patch. And by the first quarter of 2024, we'll have a final fix for the bug by default across all Windows devices.
- It's official: BlackLotus malware can bypass Secure Boot on Windows machines
- Apple pushes first-ever 'rapid' patch – and rapidly screws up
- Mirai botnet loves exploiting your unpatched TP-Link routers, CISA warns
- Microsoft disarms push notification bombers with number matching in Authenticator
Finally, the publicly disclosed bug that has not (yet) been exploited (as far as we know) is CVE-2023-29325, a Windows OLE Remote Code Execution (RCE) vulnerability that received an 8.1 CVSS rating.
Redmond says an attacker could exploit this flaw by sending a specially crafted email to the target, who opens it with a vulnerable version of Outlook or allows it to be displayed in a preview pane.
This is because, as Childs notes, "the Preview Pane is an attack vector." Also, while Outlook looks like the most likely exploit vector, it can affect other Office applications, so prioritize patching this one.
Adobe's single security bulletin
Adobe, likewise, addressed a smaller-than-usual number of vulnerabilities in May. It released just one security bulletin for Adobe Substance 3D Painter to address 14 CVEs, 11 of which are rated critical and the rest important.
"Successful exploitation could lead to arbitrary code execution and memory leak in the context of the current user," Adobe said.
None of the bugs are listed as under attack or publicly known.
SAP Hot News fixes
SAP released 25 new and updated security patches, including two Hot News and nine High Priority notes.
One of the Hot News notes, #3328495, received a 9.8 CVSS score and patches five vulnerabilities in version 14.2 of the Reprise License Manager(RLM) component used with SAP 3D Visual Enterprise License Manager.
Android's May patches
Android's latest security bulletin resolved 18 flaws.
"The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed," Google warned.
The good news, however: exploiting this vulnerability, tracked as CVE-2023-21110, does require user interaction. So maybe we'll have to reconsider our glass-half-empty viewpoint. ®