Microsoft’s May 2023 Patch Tuesday: Satnam Narang, Sr. Staff Research Engineer, Tenable 

“CVE-2023-29336 is an elevation of privilege (EoP) vulnerability in Win32k. According to Microsoft, it was exploited in the wild as a zero day. This is the fifth month in a row that an elevation of privilege vulnerability was exploited in the wild as a zero day. We anticipate details surrounding its exploitation to be made public soon by the researchers that discovered it. However, it is unclear if this flaw is a patch bypass. Historically, we’ve seen three separate examples where Win32k EoP vulnerabilities were exploited as zero days. In January 2022, Microsoft patched CVE-2022-21882, which was exploited in the wild and is reportedly a patch bypass for CVE-2021-1732, which was patched in February 2021 and also exploited in the wild. In October 2021, Microsoft patched another Win32k EoP, identified as CVE-2021-40449, which was linked to a remote access trojan known as MysterySnail, which was a patch bypass for CVE-2016-3309. While relatively rare, it is interesting to observe multiple Win32k EoP flaws exploited as zero days that were also patch bypasses.

“CVE-2023-24932 is a security feature bypass vulnerability in Secure Boot. This vulnerability was exploited in the wild as a zero day and was publicly disclosed prior to patches being made available. It appears to be related to a report from ESET from March regarding BlackLotus, a Unified Extensible Firmware Interface (UEFI) bootkit that has been available to cybercriminals since October 2022 and can be purchased for $5,000 USD on hacking forums. The report said at the time that the bootkit was capable of bypassing the UEFI Secure Boot security feature on fully patched systems. An attacker could exploit this flaw if they had physical access or administrative rights to a vulnerable system.” – Satnam Narang, sr. staff research engineer, Tenable