[German]On May 9, 2023, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates fix 37 CVE vulnerabilities, six of which are critical and 36 are classified as important. Below is a compact overview of these updates released on Patchday.A list of updates can be found on this Microsoft page. Details about the update packages for Windows, Office, etc. are available in separate blog posts.
Advertising
Notes on the updates
Windows 10 version 20H2 to 22H2 use a common core and have an identical set of system files. Therefore, the same security update will be delivered for these Windows 10 versions. Information on enabling the features of Windows 10, which is done through an Enablement Package update, can be found in this Techcommunity post.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as updates to their server counterparts) are cumulative. The monthly patchday update includes all security fixes for these Windows versions – as well as any non-security fixes up to patchday. In addition to vulnerability security patches, the updates also include fixes to address bugs or new features (e.g., Moments 2 update for Windows 11 22H2). Microsoft is integrating the Servicing Stack Updates (SSUs) into the Latest Cumulative Updates (LCUs) for newer versions of Windows 10. A list of the latest SSUs can be found at ADV990001 (although the list is not always up-to-date).
On May 9, 2023, Windows 10 version 20H2 (Enterprise, Education) will reach its end-of-live and receive security updates for the last time. On June 13, 2023, Windows 10 version 21H2 in the Home and Pro variants will also reach end-of-live.
Windows 7 SP1/Windows Server 2012 R2
Windows 7 SP1 is no longer supported since January 2020. Only customers with a 4th year ESU license (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog. Windows 8.1 is out of support in January 2023. Windows Server 2012 /R2 will receive security updates through October 2023.
Fixed vulnerabilities
Tenable has this blog post with an overview of the fixed vulnerabilities. One vulnerability was exploited in the wild. Here are some of the critical vulnerabilities that have been fixed:
Advertising
- CVE-2023-29336: Win32k Elevation of Privilege Vulnerability, CVEv3 Score 7.8, important; It is an EoP vulnerability in Microsoft's Win32k, a core kernel-side driver used in Windows. This vulnerability and has been exploited in the wild as a zero-day. Exploitation of this vulnerability would allow an attacker to gain SYSTEM privileges on an affected host.
- CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability; CVEv3 Score 6.7, important; It is a vulnerability in Secure Boot in Windows operating systems that allows untrusted software to run during the boot process. The vulnerability was publicly disclosed and exploited as a zero-day vulnerability before a patch was available. To exploit this vulnerability, an attacker must have administrative privileges or physical access to the vulnerable device, which is why Microsoft has rated this vulnerability as "less likely" according to the Microsoft Exploitability Index.
- CVE-2023-29325: Windows OLE Remote Code Execution Vulnerability; CVEv3 Score 8.1 , critical; It is an RCE in the Windows Object Linking and Embedding (OLE) mechanism of Windows operating systems, which is publicly known. Windows OLE is a technology that allows the creation of documents containing objects from different applications. The vulnerability is in the processing of RTF documents and emails. According to Microsoft, the preview pane in Microsoft Outlook and Office is an attack vector for the vulnerability. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted document to a vulnerable system. However, the vulnerability has been assigned a high level of complexity because the attacker must meet a race condition for successful exploitation and the target must be prepared for exploitation. This is an area where patching was ready (incomplete) in previous months.
- CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability; CVEv3 Score 9.8 , critical; This is a critical RCE vulnerability that affects supported versions of Windows Server. The affected component is the Network File System (NFS) service, which is used to share files between Unix and Windows Server systems. The vulnerability specifically affects NFSV4.1, but not NFSV2.0 or NFSV3.0. CVE-2023-24941 can be exploited remotely by an unauthenticated attacker who sends a malicious call to a vulnerable server.
A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:
- Microsoft Bluetooth Driver
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office Access
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft Teams
- Microsoft Windows Codecs Library
- Reliable Multicast Transport Driver (RMCAST)
- Remote Desktop Client
- SysInternals
- Visual Studio Code
- Windows Backup Engine
- Windows Installer
- Windows iSCSI Target Service
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows MSHTML Platform
- Windows Network File System
- Windows NFS Portmapper
- Windows NTLM
- Windows OLE
- Windows RDP Client
- Windows Remote Procedure Call Runtime
- Windows Secure Boot
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows SMB
- Windows Win32K
Similar articles:
Microsoft Security Update Summary (May 9, 2023)
Patchday: Windows 10-Updates (May 9, 2023)
Patchday: Windows 11/Server 2022-Updates (May 9, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (May 9, 2023)
Patchday: Microsoft Office Updates (May 9, 2023)
Microsoft Office Updates (May 2, 2023)
