Microsoft issued fixes for just 38 CVEs this month, including three zero-day vulnerabilities.
Although this month’s Patch Tuesday update round is one of the smallest this year, experts warned that sysadmins should move quickly to patch the zero-days, two of which are being actively exploited in the wild.
The first is CVE-2023-29336, an elevation of privilege vulnerability in Win32k that grants the attacker system privileges, allowing them to escalate access rights. Although an attacker first has to possess basic privileges on a system, this is fairly easily done via a phishing attack or credential harvesting.
“It has a local attack vector, meaning the attacker needs access to the targeted system. The attack complexity is low, requiring minimal privileges and no user interaction,” explained Mike Walters, VP of vulnerability and threat research at Action1.
“As of now, no workarounds or alternative solutions are available, making the installation of the updates the most effective way to mitigate the risk and ensure the security of your systems.”
The second CVE being actively exploited in the wild is CVE-2023-24932: a low-complexity secure boot security feature bypass bug which also requires no user interaction.
An attacker would need physical or administrator access to a target system to exploit the CVSS 6.7-rated vulnerability, said Walters.
“Successful exploitation of this vulnerability allows an attacker to bypass secure boot, thereby enabling the loading of malicious drivers or malware without Microsoft-trusted signatures during Windows startup,” he explained.
“To address this vulnerability, a security update has been released that updates the Windows Boot Manager. However, it is important to note that this update is not enabled by default. To mitigate the vulnerability, you must follow three essential steps detailed in the Microsoft article KB5025885.”
The final zero-day patched this month is CVE-2023-29325: a critical remote code execution bug in Windows OLE. A proof-of-concept is available for the bug, meaning that attacks in the wild will not be far away.
“With this vulnerability, the simple act of glancing at a carefully crafted malicious email in Outlook’s preview pane is enough to enable remote code execution and potentially compromise the recipient’s computer,” explained Yoav Iellin, senior researcher at Silverfort.
“At this stage, we believe Outlook users will be the main attack vector, although it has the potential to be used in other Office programs as well. We recommend ensuring client’s Windows machines and Office software are fully up to date and consider following the workaround given by Microsoft while deploying the patch.”