In today’s SensCy Cyber Brief, your SensCy team reviewed Microsoft’s latest series of patches released on Tuesday, May 9, 2023. Today’s Patch Tuesday comes with fixes for SIX zero-day vulnerabilities and 132 flaws.
What is Patch Tuesday?
Patch Tuesday is Microsoft’s initiative to release new security fixes for the Windows operating system and any other Microsoft software on a monthly basis. Your SensCy team will monitor such releases and provide you with our observations and recommendations.
Why is it important?
This month’s patch Tuesday is critical because it fixes SIX zero-day vulnerabilities (a vulnerability in a system or device that has been disclosed but is not yet patched). The SensCy team recommends Microsoft users install those patches immediately.
CVE-2023-32046 is an Elevation of Privilege vulnerability, where the attacker would gain the rights of the user that is running the affected application,” reads Microsoft’s advisory.
CVE-2023-32049 is a vulnerability that prevents the display of the Open File. A Security Warning prompt when downloading and opening files from the Internet.
CVE-2023-36874 is an Elevation of Privilege vulnerability, it allows threat actors to gain administrator privileges on the Windows device.
CVE-2023-36884. This is an Unpatched zero-day vulnerability affecting Office that allows remote code execution using specially-crafted Microsoft Office documents. Here are Microsoft Remediations.
ADV230001 is part of Microsoft Advisory, explaining that they have suspended all associated developer accounts and revoked abused certificates.
CVE-2023-35311 is a vulnerability in Outlook that allows an attacker to bypass the Microsoft Outlook Security Notice prompt.
In addition to the zero-day fix, Microsoft is also fixing 132 vulnerabilities, with nine classified as “Critical” as they allow remote code execution.
Here is a breakdown of each vulnerability category:
- 33 Elevation of Privilege Vulnerabilities
- 13 Security Feature Bypass Vulnerabilities
- 37 Remote Code Execution Vulnerabilities
- 19 Information Disclosure Vulnerabilities
- 22 Denial of Service Vulnerabilities
- 7 Spoofing Vulnerabilities
For more information on vulnerabilities and the system that it affects, please refer to the full report from Microsoft linked here.
If you have any questions or concerns regarding Patch Tuesday and are unsure of the implication of the new updates on your company, please reach out to SensCy.