Share this article

Improve this guide

38 CVEs addressed through the May 2023 Patch Tuesday Release

6 min. read

Updated onMay 10, 2023

updated onMay 10, 2023

Share this article

Improve this guide

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Key notes

It’s May already and everyone is looking towards Microsoft, in hopes that some of the flaws they’ve been struggling with will finally get fixed.

We’ve already provided thedirect download linksfor the cumulative updates released today for Windows 10 and 11, but now it’s time to talk about Critical Vulnerabilities and Exposures again.

This month, the Redmond tech giant released 38 new patches, which is a lot less than some people were expecting right after Easter.

These software updates address CVEs in:

For May, Microsoft only released 38 new patches, which is still a lot less than some people were expecting for the fifth month of 2023.

One of Microsoft’s lightest months with only 38 updates

One of Microsoft’s lightest months with only 38 updates

Not the busiest but also not the lightest month for Microsoft security experts, so we can relax a bit right before the summer.

You might like to know that, out of the 38 new CVEs released, seven are rated Critical and 31 are rated Important in severity.

As many of you probably already know, May is always a smaller month for fixes historically, but this month’s volume is the lowest since August 2021.

Know that one of the new CVEs is listed as under active attack and two are listed as publicly known at the time of release.

Let’s take a closer look atCVE-2023-29336, as its the one bug listed as being under active attack at the time of release.

Thus, as a result, you must go all the way back to May of last year before you find a month where there wasn’t at least one Microsoft bug under active attack.

In fact, this type of privilege escalation is usually combined with a code execution bug to spread malware, so we advise caution.

Moving on toCVE-2023-29325, we learn that while the title says OLE when it comes to this bug, the real component to worry about is Outlook.

Please note that this vulnerability allows an attacker to execute their code on an affected system by sending a specially crafted RTF e-mail.

ThePreview Paneis an attack vector, so a target doesn’t even need to read the crafted message, and while Outlook is the more likely exploit vector, other Office applications are also impacted.

Microsoft mentioned that this is one of the publicly known bugs patched this month and has been widely discussed on Twitter.

CVE-2023-24941has been given a CVSS of 9.8 and allows a remote, unauthenticated attacker to run arbitrary code on an affected system with elevated privileges.

And, the worst part is that no user interaction is required. Another interesting thing about this vulnerability is that exists in NFS version 4.1 but not versions NFSv2.0 or NFSv3.0.

Rest assured that you can mitigate this bug by downgrading to a previous version, but Microsoft warns that you should not use this mitigation unless you have theCVE-2022-26937patch from May 2022 installed.

Observing the remaining Critical-rated patches, there’s another CVSS 9.8 bug in Pragmatic General Multicast (PGM) that looks identical to PGM bug patched last month.

It’s important to know that this could indicate a failed patch or, more likely, a wide attack surface in PGM that is just starting to be explored.

There are also patches for Critical-rated bugs in the LDAP and SSTP protocols and an intriguing bug in MSHTML that could allow a remote attacker to escalate to administrator privileges.

The Redmond tech giant doesn’t provide details here, but they do note some level of privileges is required.

The next Patch Tuesday rollout will be on May 10th, so don’t get too comfortable with the current state of affairs, as it might change sooner than you think.

Was this article helpful to you? Share your opinion in the comments section below.

More about the topics:patch tuesday

Alexandru Poloboc

Tech Journalist

With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor, as well as TV and radio entertainment show host.

A certified gadget freak, he always feels the need to surround himself with next-generation electronics.

When he is not working, he splits his free time between making music, gaming, playing football, basketball and taking his dogs on adventures.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Alexandru Poloboc

Tech Journalist

With a desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter.