May’s Patch Tuesday release from Microsoft appears to be on the lighter side with only 48 vulnerabilities. However, two more zero-day vulnerabilities have been patched, which marks 11 straight months of zero-days since June of 2022.

The first zero-day is an important elevation of privilege weakness in Win32k, a core component of Windows operating systems that provides an interface for graphical user interface (GUI) functions at the kernel-level. The vulnerability affects some versions of Windows 10 and Server 2008-2016.

The second zero-day patched this month is an important vulnerability that allows an attacker with physical access to an endpoint or admin credentials to bypass Secure Boot. Unfortunately, updating Secure Boot is not straightforward and errors can result in unrecoverable media, so be careful when applying the fix.

Another vulnerability to prioritize this month is a critical remote code execution weakness in Windows Network File System (NFS). The vulnerability affects Windows Server 2012-2022 and can be exploited over the network, so we recommend patching within 72 hours with a priority on internet-facing endpoints or those with sensitive data.

You should also patch an important elevation of privilege vulnerability affecting the Windows Kernel in most versions of Windows 10, 11, and Server 2019-2022. Attackers with non-privileged credentials obtained through social engineering or other means can execute a relatively simple attack and elevate to SYSTEM privileges, effectively granting them system control to possibly install malicious software, exfiltrate data, or move laterally to other endpoints.

Win32k Elevation of Privilege Vulnerability [IMPORTANT ZERO-DAY]

CVE-2023-29336 is an important and actively exploited zero-day vulnerability in Win32k that scores a CVSS 7.8. When exploited successfully, the vulnerability allows for the elevation of privileges to SYSTEM. Win32k is a core component of Windows operating systems that provides an interface for graphical user interface (GUI) functions at the kernel-level. Win32k runs in a privileged context, which means that vulnerabilities affecting it could result in malicious actors gaining control over the system. 

As a result, Win32k vulnerabilities are usually popular targets for attackers. Since the vulnerability is already being exploited in the wild, we recommend patching within 24 hours on Windows 10 (and version 1607) and Server 2008-2016. - Gina Geisel

Secure Boot Security Feature Bypass Vulnerability [IMPORTANT ZERO-DAY]

This vulnerability is an important, actively exploited zero-day that allows an attacker with physical access or administrative rights to a target device to install an affected boot policy and potentially bypass secure boot. The vulnerability scores a CVSS 6.7/10 and affects most versions of Windows 10, 11, and Server 2008-2022. To remediate, you'll need to update the Windows Boot Manager and follow the steps outlined here. If done incorrectly, endpoints may not be able to start or be recovered from media. - Peter Pflaster

Windows Network File System Remote Code Execution Vulnerability [CRITICAL]

This critical network vulnerability has returned and is exploited by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). With low attack complexity and no privileges or user interaction required, we recommend patching within 72 hours on Windows Server 2012, 2016, 2019, and 2022. If you are unable to patch, an option is applying a temporary fix from Microsoft - they also note that this fix should only be applied if you have already applied security updates from May 2022 (last year’s). Again, temporary mitigation is an option though Automox recommends patching the vulnerability as the best practice. - Preetham Gurram

Windows Kernel Elevation of Privilege Vulnerability [IMPORTANT]

Elevation of privilege, also referred to as privilege escalation, is a vulnerability that allows an adversary to gain unauthorized access by elevating the access and execution permissions to carry out attacks on the system. Elevation of privilege vulnerabilities are considered highly dangerous and are often targeted by attackers because they provide a way to perform a wide range of malicious activities, including stealing sensitive data, installing malware, and taking over the system.

The vulnerability is identified in the Windows kernel, a core part of the operating system that manages system resources and provides low-level access to hardware. This vulnerability affects Windows Server versions 2019, 2022, Windows 10, and Windows 11 (Including Arm-based, x64 versions). Patching can mitigate the vulnerability. Automox recommends patching this vulnerability within 72 hours to minimize exposure to unnecessary cyber risks. - Gina Geisel