Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years

Microsoft disclosed 40 vulnerabilities across its suite of products and software Tuesday, the fewest the company's included in a Patch Tuesday since December 2019.

However, two of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case for the monthly roundup of security issues.

In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered "important."

One of the zero-day vulnerabilities included this month is CVE-2023-29336, an elevation of privilege vulnerability in the Win32k kernel mode driver. An adversary could exploit this vulnerability to gain SYSTEM privileges.

The most serious vulnerability disclosed Tuesday is CVE-2023-24941, a remote code execution vulnerability in the Windows Network File System that has a severity rating of 9.8 out of 10. An adversary could exploit this vulnerability over a network by making an unauthenticated, specially crafted call to an NFS service to execute code on the targeted machine. In addition to today's patch, Microsoft also outlines several mitigation steps affected users can deploy to prevent the execution of this vulnerability.

Another remote code execution vulnerability, CVE-2023-29325, exists in Windows OLE that is also critical. An attacker could trigger this issue by tricking a target into opening a specially crafted, malicious email. The vulnerability can even trigger if the user just opens the email in the Preview pane.

CVE-2023-24955 is another remote code execution vulnerability in Microsoft SharePoint Server that Microsoft considers "more likely" to be exploited.

MSHTML, a software component that renders web pages in Microsoft browsers, also contains a critical vulnerability that could allow an attacker to gain admin privileges on a targeted device. CVE-2023-29324, however, is more difficult for an attacker to trigger than the other vulnerabilities mentioned above because it requires "an attacker to take additional actions prior to exploitation to prepare the target environment," according to Microsoft.

There are two other critical vulnerabilities in this month's security update that Microsoft considers "less likely" to be exploited:

• CVE-2023-24943: Windows PGM remote code execution vulnerability
• CVE-2023-28283: Windows LDAP remote code execution vulnerability

There are also three important vulnerabilities considered to be "more likely" to be exploited, though are not considered as serious:

• CVE-2023-24949: Windows Kernel elevation of privilege vulnerability
• CVE-2023-24950: Microsoft SharePoint Server spoofing vulnerability
• CVE-2023-24954: Microsoft SharePoint Server information disclosure vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61705 - 61707, 61714 - 61720, 61722 and 61723.