The Australian Cyber Security Centre (ACSC) has reviewed the Microsoft May 2023 Security Update.
The Security Update provided patches for 40 vulnerabilities. 2 vulnerabilities are believed to have been exploited. 6 vulnerabilities are rated ‘Critical’. The following vulnerabilities are important based on their severity, widespread use of the related product and/or likelihood of exploitation. Network File System (NFS) Remote Code Execution (CVE-2023-24941): Critical CVSS Rating of 9.8 Allows unauthenticated remote code execution (RCE) with low complexity. Exploitation is likely to occur. NFS is a common file sharing solution. Outlook Remote Code Execution (CVE-2023-29325): A malicious email sent to a victim can cause RCE when the email is viewed, including in the preview panel. Outlook is a widely used email client. This vulnerability is likely to be exploited in phishing campaigns and can affect individuals, business and government. Lightweight Directory Access Protocol Remote Code Execution (CVE-2023-28283): An unauthenticated attacker can get RCE in the context of an LDAP Service. Control over the LDAP service can lead to control of the Active Directory. LDAP is widely used in government and business environments as part of Active Diretory. Multiple SharePoint vulnerabilities (CVE-2023-24955, CVE-2023-24950, CVE-2023-24954): Multiple authenticated vulnerabilities affecting Microsoft SharePoint. Vulnerabilities allow for RCE and leaking of sensitive security information. Each of these could lead to compromise. Many organisations keep sensitive information in SharePoint. The requirement for single factor authentication is not a significant mitigation against authenticated vulnerabilities for internet facing systems. Malicious actors have many techniques and information sources for gaining authenticated access. Win32 Kernel Elevation of Privilege (CVE-2023-29336): A local privilege escalation vulnerability affecting Windows systems. Elevation to SYSTEM privileges which can allow an attacker to take full control of a system. Microsoft reports active exploitation detected. Windows Secure Boot Bypass Flaw (CVE-2023-24932): UEFI Boot bypass flaw being used to install the Black Lotus UEFI Bootkit, which has been used to deploy persistent malware. Microsoft reports active exploitation detected. Additional actions are required after patching. https://support.microsoft.com/help/5025885 Mitigation / How do I stay secure? Technical subject matter experts that use Microsoft products should read the associated security update guides available for their products. Security Update Guide - Microsoft The UEFI vulnerability has additional mitigations required after patching. General users should consider enabling automatic patching of Microsoft products if they have not already done so.