What you need to know:
- A security update for Windows 11 was pushed live on May 9, 2023 and included fixes for 38 flaws including 3 zero-day vulnerabilities.
- 6 of the vulnerabilities patched in the update were deemed ‘Critical’ as they allowed remote code execution.
- A patch for the BlackLotus bootkit vulnerability was deployed but needs to be manually enabled.
- A security update released on May 5th for Microsoft Edge fixed an additional 11 vulnerabilities.
Microsoft’s Patch Tuesday brought a slew of security updates to Windows 11 users, but May 2023’s roster of fixes is considerably smaller than some of the patches that came before it. Despite being smaller in stature, this security update fixes several major exploitations, including two which were classified as Zero-Day vulnerabilities that had been actively exploited in the wild along with a third that had been publicly disclosed (via Bleeping Computer).
May 2023’s Patch Tuesday includes a fix for an exploit using CVE-2023-24932, a security bypass law that could be used to install a malicious UEFI bootkit known as BlackLotus. The BlackLotus campaign has been particularly problematic for Microsoft, despite the company only listing the severity of the vulnerability as ‘Important’.
Microsoft claims that this downgraded severity is because a threat actor would need physical access to a device as well as administrative privileges in order to properly bypass Secure Boot measures. However, BlackLotus bootkits have been maintained and sold across hacker forums since October and even Microsoft has acknowledged that it is possible to bypass Secure Boot without physical access to an unpatched device. While the May 2023 patch does provide a fix for CVE-2023-24932 by updating Windows Boot Manager, the fix itself is not enabled by default.
Patch Tuesday also adds a fix for CVE-2023-29336, a privilege elevation vulnerability that allows an attacker to gain SYSTEM privileges if exploited, as well as CVE-2023-29325 which exploited Microsoft Outlook via infected emails that could result in the execution of remote code. Microsoft has advised that users read email messages in plain text format when using Outlook as a preventative measure from falling victim to CVE-2023-29325. One other zero-day vulnerability which had been publicly disclosed but not actively exploited was also patched as part of the May 2023 update.
The patch for May covered 38 vulnerabilities in all, 6 of which were deemed Critical and included the following categories:
- Elevation of Privilege
- Security Feature Bypass
- Remote Code Execution
- Information Disclosure
- Denial of Service
- Spoofing
In addition to Windows 11's security patches, Microsoft also rolled out a security update for Microsoft Edge on May 5th which fixed an additional 11 vulnerabilities. The May 2023 update also marked the end of service for all editions of Windows 10 version 20H2.
