Microsoft Fixes BlackLotus Vulnerability, AgainMay Patch Tuesday Fixes 38 Bugs Including 3 Zero Days
Microsoft issued an optional patch Tuesday as part of its monthly dump of fixes that addresses for the second time a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware.
In all, the Redmond giant pushed out 38 security fixes in its May patch cycle, addressing three zero-day flaws - two of which are under active exploitation, including the UEFI flaw - and six bugs rated critical.
Security researchers earlier this year spotted the BlackLotus bootkit for sale on hacker forums for $5,000. BlackLotus was the first known example of malware capable of defeating the computing industry standard for ensuring only trusted operating systems can boot up a device. It exploited a vulnerability Microsoft patched in 2022 tracked as CVE-2022-21894 (see: BlackLotus Malware Bypasses Secure Boot on Windows Machines).
Hackers found a workaround tracked as CVE-2023-24932 that led Microsoft to develop its second patch against BlackLotus.
The patch is optional, the company says, since the attacker must have admin privileges or physical access to the device for the exploit to work. "An attacker will commonly use this vulnerability to continue controlling a device that they can already access and possibly manipulate," Microsoft said in guidance for applying the fix, which requires following up the patch with modifications to the UEFI configuration.
In a blog post, Rapid 7 Lead Software Engineer Adam Barnett said the flaw is more dangerous than its CVSS3 base score of 6.7 might suggest. "Microsoft warns that an attacker who already has Administrator access to an unpatched asset could exploit CVE-2023-24932 without necessarily having physical access," he wrote.
"This patch should be high on the list for organizations that operate a hybrid workforce with local and remote employees, or those organizations that travel frequently. Evil Maid-style attacks are the vector here," said Kev Breen, director of cyber threat research at Immersive Labs.
The other zero day under active expoit is CVE-2023-29336, a Win32k elevation of privilege vulnerability. The company credits researchers from antivirus firm Avast with identifying the vulnerability.
"This type of privilege escalation is usually combined with a code execution bug to spread malware. Considering this was reported by an AV company, that seems the likely scenario here," wrote Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiaitve. "As always, Microsoft offers no information about how widespread these attacks may be," he added.
Microsoft also resolved a remote code execution vulnerability in Windows OLE that does not yet appear to have been exploited that's tracked as CVE-2023-29325.
The vulnerability does not require user interaction. The vulnerability is in the operating system but the preview pane in Outlook can be used as an attack vector.
The bundle of patches also addressed yet another workaround to an earlier patch, although Microsoft says the bug is of "important" but not "critical" severity.
The vulnerability, CVE-2023-29324, allows attackers to trick Outlook clients into connecting to a remote server. Microsoft maintains that Exchange servers updated in March stop the attack from executing (see: Researchers Find Bypass for a Fixed Bug; MSFT Patches Again).