On Tuesday, Microsoft released 38 security updates, among which it fixed two vulnerabilities that attackers are already exploiting.
In addition, another vulnerability was disclosed, which has not yet been exploited. We recommend installing these patches as soon as possible.Let me remind you that we also wrote that Microsoft patches OMIGOD vulnerabilities on Azure Linux VMs, and also that Microsoft released urgent patches that fix bugs in the work of IPSEC and L2TP VPN.
Six of the 38 vulnerabilities have a critical severity level, as they allow remote code execution.
Two vulnerabilities that are actively exploited, according to Microsoft, are CVE-2023-29336 – privilege escalation in Win32k; and CVE-2023-24932 – Secure Boot bypass. The latter was used by the BlackLotus bootkit to infect Windows computers. Interestingly, BlackLotus bypassed a Microsoft patch released last year that closed another vulnerability in Secure Boot.
So Microsoft fixed one hole in Secure Boot, and this malicious code used another vulnerability – CVE-2023-24932 – to bypass it.
CVE-2023-29336 is a vulnerability rated 7.8 out of 10 in the kernel mode Win32k driver that can be used to gain system privileges on Windows machines.
Microsoft thanked Avast researchers Jan Wojtešek, Milanek, and Luigino Camastra for finding and disclosing this bug.
And the CVE-2023-24932 vulnerability received a separate security advisory and configuration guide from the Microsoft Security Response Center (MSRC), which Microsoft says is necessary to “completely protect against this vulnerability.”
Microsoft reports that ESET’s Martin Smolar and SentinelOne’s Tomer Sneor exposed the bug, with Smolar initially raising the alarm that BlackLotus was bypassing Secure Boot back in March.
BlackLotus is a UEFI bootkit sold on hacker forums for around $5,000 and is a rare type of malware as it runs on Windows systems even with Secure Boot enabled. This feature was supposed to block BlackLotus.
Secure Boot is designed to prevent devices from running unauthorized or malicious software before running an operating system such as Windows. Heading for weaknesses in this boot process, BlackLotus boots before everything else, including the operating system and any security tools that might stop it.
The malware can disable antivirus protection and installs a kernel driver that receives commands from the control server to execute, effectively creating a remotely controlled backdoor.
While Microsoft released a fix for the Windows Boot Manager in today’s patch to counter the bootkit, the CVE-2023-24932 update is disabled by default and requires customers to manually update the system to fully implement protection. As security analyst Will Dorman joked, “Feel free to cry a little and/or consider a career change.”
In July, Microsoft will release a second release to make it easier to deploy the patch. And by the first quarter of 2024, we will have a definitive default fix for all Windows devices.
Finally, a publicly disclosed bug that is not yet exploited (as far as we know) is CVE-2023-29325, a Windows OLE remote code execution vulnerability that has been rated 8.1 by CVSS.
Microsoft says an attacker could exploit this vulnerability by sending a specially crafted email to a target that opens it with the affected version of Outlook or allows it to be displayed in a preview window. While Outlook looks like the most likely vector for exploitation, the vulnerability could affect other Office applications, so it’s important to install this patch as soon as possible.
In addition to these vulnerabilities, Microsoft also fixed bugs in Azure Sphere (CVE-2023-29337), .NET Core and Visual Studio, Exchange Server, SharePoint Server, Skype for Business Server, and Lync Server.