It’s patch Tuesday once again, and Adobe and Microsoft have released their monthly batch of security updates. Take a break from your regularly scheduled activities and join us as we review the details of the latest offerings from Microsoft and Adobe. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel.

Adobe Patches for May 2023

For May, Adobe released a single bulletin for Substance 3D Painter addressing 11 Critical-rated and 3 Important-rated vulnerabilities. All of these bugs were found and reported by ZDI vulnerability researcher Mat Powell. The most severe of these issues would allow an attacker to execute arbitrary code on an affected system if they can convince a user to open a specially-crafted file.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for May 2023

This month, Microsoft released 38 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Microsoft Edge (Chromium-based); SharePoint Server; Visual Studio; SysInternals; and Microsoft Teams. This is in addition to 11 CVEs in Chromium that were previously released for Edge and are now being documented in the Security Updates Guide.

A total of four of these bugs came were submitted through the ZDI program. This includes three SharePoint fixes that were reported during the most recent Pwn2Own Vancouver competition. However, none of the other bugs reported at that event have yet to be addressed by Microsoft.

Of the new patches released today, seven are rated Critical and 31 are rated Important in severity. May tends to be a smaller month for fixes historically, but this month’s volume is the lowest since August 2021. However, considering just the number of ZDI cases waiting to be patched, this number is expected to rise in the coming months.

One of the new CVEs is listed as under active attack and two are listed as publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the one bug under active attack:

-       CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability
This is the one bug listed as being under active attack at the time of release, and you must go all the way back to May of last year before you find a month where there wasn’t at least one Microsoft bug under active attack. This type of privilege escalation is usually combined with a code execution bug to spread malware. Considering this was reported by an AV company, that seems the likely scenario here. As always, Microsoft offers no information about how widespread these attacks may be.

-       CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability
While the title says OLE, when it comes to this bug, the real component to worry about is Outlook. This vulnerability allows an attacker to execute their code on an affected system by sending a specially crafted RTF e-mail. The Preview Pane is an attack vector, so a target doesn’t even need to read the crafted message. And while Outlook is the more likely exploit vector, other Office applications are also impacted. This is one of the publicly known bugs patched this month and has been widely discussed on Twitter. Although Microsoft offers some workarounds, it’s a better idea to test and deploy this update quickly.

-       CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability
This bug has been given a CVSS of 9.8 and allows a remote, unauthenticated attacker to run arbitrary code on an affected system with elevated privileges. No user interaction is required. Another interesting thing about this vulnerability is that exists in NFS version 4.1 but not versions NFSv2.0 or NFSv3.0. You can mitigate this bug by downgrading to a previous version, but Microsoft warns that you should not use this mitigation unless you have the CVE-2022-26937 patch from May 2022 installed. The better idea is to test and deploy this month’s fix instead.

-       CVE-2023-24955 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This bug was demonstrated by the STAR Labs team during Pwn2Own Vancouver and was part of a chain used to obtain code execution on the target server. While this specific bug requires authentication, during the contest, it was combined with an authentication bypass. This is what would happen in real-world scenarios as well. Although there are other SharePoint fixes being released this month, additional patches will be required to fully address what was disclosed. Hopefully, we’ll see the remaining Pwn2Own fixes in the coming months.

Here’s the full list of CVEs released by Microsoft for May 2023:

* Indicates this CVE had been released prior to today.

Looking at the remaining Critical-rated patches, there’s another CVSS 9.8 bug in Pragmatic General Multicast (PGM) that looks identical to PGM bug patched last month. This could indicate a failed patch or, more likely, a wide attack surface in PGM that is just starting to be explored. There are patches for Critical-rated bugs in the LDAP and SSTP protocols. Finally, there’s an intriguing bug in MSHTML that could allow a remote attacker to escalate to administrator privileges. Microsoft doesn’t provide details here, but they do note some level of privileges are required. As written, it reads as though an authenticated user could browse to a site and gain administrative rights. 

Moving on to the other code execution bugs fixed this month, there are the standard open-and-own bugs in Office products. There are a couple of fixes for the AV1 Video Extensions, which are not installed by default. These updates are available from the Windows Store, so if you’re in a disconnected environment, you’ll need to manually apply these fixes. The code execution bug in RDP is somewhat troubling, but it’s client not server, so that lessens the severity a bit. The bug in Bluetooth requires the attacker to be in close physical proximity. The final RCE patch for May fixes a bug in the NuGet package manager client. Microsoft provides no details on the attack scenario, but it’s likely a client would need to connect to a specially crafted .NET project to be exploited.

In addition to the two already mentioned, there are eight other elevation of privilege (EoP) bugs being fixed this month. Most of these require an authenticated user to run specially crafted code, resulting in code execution at the level of SYSTEM. Like the Bluetooth RCE, the EoP in Bluetooth requires close proximity. The bug in Windows Installer only allows an attacker to delete targeted files rather than escalate to SYSTEM.

There are four security feature bypass (SFB) vulnerabilities being patched this month, including a publicly known bypass of the Secure Boot feature. As is typical, Microsoft does not provide information on where this vulnerability is public, however, they do provide some additional information about some additional configuration guidance resulting from this change. The bypass in Word would allow attackers to evade Office Protected View. The fix for Edge addresses a bug that could allow an iFrame sandbox escape, but not a full browser sandbox escape. The bug in the Driver Revocation List would allow an attacker to bypass the revocation list feature by modifying it and thus impact the integrity of that list.

The May release contains eight fixes for information disclosure bugs, including a SharePoint bug that was disclosed as a part of Pwn2Own. It was another piece of the SharePoint exploit chain mentioned above. For the most part, the remaining info disclosure bugs merely result in info leaks consisting of unspecified memory contents. There are some notable exceptions. The info disclosure in RDP Client could allow the recovery of plaintext information from TLS-protected data. The vulnerability in Teams could allow an attacker to disclose various “sensitive data,” including a user's full trust token. Although not specified, it’s possible this token could be replayed to impersonate a user. The last info disclosure fix is for Visual Studio. This bug allows attackers to disclose NTLM hashes. Again, it’s possible these hashes could be passed to impersonate other users.

There are five fixes for denial-of-service (DoS) bugs in the release, and four of these are mostly unremarkable. The fifth, however, impacts only the hotpatch version of Windows Server 2022. It also impacts SMB over QUIC, which is a rather interesting VPN-like functionality for SMB. Apart from the DoS in Access, it’s unclear if any of these bugs blue screen the system or merely interrupt service operations. The bug in Access impacts the database connectivity but doesn’t fully deny service.

Finally, there is a spoofing bug in SharePoint receiving a patch this month. It was reported through the ZDI program by an anonymous researcher and could allow an authenticated attacker to cause the server to leak its NTLM hash. Any user on the SharePoint site has the needed permissions.

No new advisories were released this month, but there was a patch re-release of note. CVE-2022-26928 was re-released to add security updates for all affected versions of Microsoft Windows. Microsoft indicates these new updates are needed to “fully address” the bug, which sounds like the original fix from last year was incomplete. Regardless, ensure you don’t miss applying this update to your systems – again.

Looking Ahead

The next Patch Tuesday will be on June 13, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!