Microsoft releases Patch Tuesday updates for May 2023 with fixes for 38 Security Flaws, including a Zero-Day bug

Microsoft has released its Patch Tuesday updates for May 2023, which include fixes for 38 security flaws. Of these, 6 are considered critical and 32 are important. The company also flagged 8 vulnerabilities as being more likely to be exploited.

The update includes a patch for a Zero-Day bug, CVE-2023-29336, that is being actively exploited in the wild: the flaw is a privilege escalation vulnerability in Win32k, discovered by Avast researchers. The US Cybersecurity and Infrastructure Security Agency has placed the flaw on its Known Exploited Vulnerabilities catalog and urged organizations to apply patches by the end of May.

Two publicly known vulnerabilities are also addressed by the update, including a critical remote code execution flaw impacting Windows OLE and a Secure Boot security feature bypass that's weaponized by the BlackLotus UEFI bootkit to exploit CVE-2022-21894. The latter flaw allows attackers to execute self-signed code at the UEFI level while Secure Boot is enabled. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device. The fix is disabled by default, and customers must manually apply the revocations after updating all bootable media.

The Zero Day Initiative (ZDI) noted that the volume of security flaws addressed in the update is the lowest since August 2021, but warned that the number is expected to rise in the coming months. In addition to the 38 vulnerabilities, Microsoft also resolved 18 flaws, including 11 bugs, in its Chromium-based Edge browser following the release of April's Patch Tuesday updates.