Connect with us

Hi, what are you looking for?



Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days

Microsoft’s May 2023 security updates address a total of 40 newly documented vulnerabilities, including two flaws already exploited in attacks.

Microsoft on Tuesday announced patches for 40 newly documented vulnerabilities in its products, including two zero-day flaws.

One of the zero-days, CVE-2023-29336, is described as an elevation of privilege bug in the Win32k driver. Successful exploitation could allow an attacker to gain System privileges.

Microsoft has shared no information on the attacks exploiting this vulnerability, but such issues are typically combined with code execution flaws to spread malware, according to Trend Micro’s Zero Day Initiative (ZDI), which published a summary of the patches. 

Reported by Avast, CVE-2023-29336 impacts systems running Windows 10 and Windows Server 2008, 2012, and 2016.

Reported by ESET and SentinelOne researchers, the second zero-day, CVE-2023-24932, is described as a Secure Boot security feature bypass that could allow an attacker with physical access or administrative privileges to execute self-signed code at the UEFI level.

The issue has been exploited by the BlackLotus UEFI bootkit that first emerged in October 2022, and which can disable security applications and other defense mechanisms on vulnerable machines.

Addressing CVE-2023-24932, Microsoft says, requires revoking boot managers, an irreversible action that could cause issues for some boot configurations.

Advertisement. Scroll to continue reading.

Microsoft’s May 2023 update does not provide a full patch for the vulnerability, but represents the first step in resolving the issue. Automated deployment of the revocation files will be added on July 2023 Patch Tuesday and the revocations will be enforced starting with the first quarter of the next year.

“The May 9, 2023 security update provides configuration options to manually enable protections for the Secure Boot bypass but these protections are not enabled automatically. Before you enable these protections, you must verify your devices and all bootable media are updated and ready for this security hardening change,” the tech giant explains in a knowledge base article.

Some of the critical vulnerabilities patched with Microsoft’s latest updates include remote code execution flaws in Windows Network File System (CVE-2023-24941), Windows Pragmatic General Multicast (CVE-2023-24943), and Windows OLE (CVE-2023-29325).

The tech giant also resolved CVE-2023-24955, a remote code execution flaw in SharePoint Server that was disclosed by the Star Labs team at the Pwn2Own Vancouver 2023 exploit contest.

Microsoft’s May 2023 Patch Tuesday updates address other elevation of privilege and remote code execution bugs, along with information disclosure, denial-of-service, and security feature bypass flaws.

In addition to the 40 Microsoft-specific vulnerabilities, the release notes mention nine Chrome security defects that the tech giant is now addressing in the Chromium-based Edge browser.

Related: Adobe Patches 14 Vulnerabilities in Substance 3D Painter

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities

Related: Microsoft Patch Tuesday: 97 Windows Vulns, 1 Exploited Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.