Microsoft administrators are facing a collection of 49 patches in this month's Patch Tuesday, two of which have exploits in the wild.
The two exploited vulnerabilities are both sub-critical: CVE-2023-29336, a local privilege escalation vulnerability in the Win32k subsystem; and CVE-2023-24932, a secure boot bypass that would allow a local attacker with admin credentials to change a system’s boot policy.
Just two of this month’s vulnerabilities carry CVSS scores greater than 9.
CVE-2023-24943 is a remote code execution (RCE) in the Windows pragmatic general multicast (PGM) server.
“When Windows Message Queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code," the advisory explained.
Microsoft also recommended that customers replace PGM with newer technologies such as a unicast or multicast server.
CVE-2023-24941 is an RCE in the Windows network file system (NFS) v4.1 (versions 2.0 and 3.0 are not vulnerable) that can be triggered by an “unauthenticated, specially crafted call to a network file system service”.
Another notable RCE with a CVSS of 8.1, is CVE-2023-29325, an OLE vulnerability that could attack an Outlook user through the preview pane.
An attack “might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim's Outlook application displaying a preview of a specially crafted email”.
Microsoft’s advisory noted that users who configure Outlook to only display text are immune.
Other lower-scoring RCE bugs include CVE-2023-28283 in LDAP; CVE-2023-24955, a SharePoint server bug; and CVE-2023-24903, a bug in the Windows secure socket tunnelling protocol.
Microsoft’s full list of vulnerabilities is here.
