Yesterday's patch Tuesday is now in the books.
Patch Tuesday notes.
Microsoft fixes 40 security vulnerabilities. Mozilla released two patches, one for Firefox 113, and another for FireFox ESR 102.11. Adobe has patched 14 vulnerabilities in Substance 3D Painter and Onasis released a blog detailing the SAP patch day patches.
Microsoft addresses 40 security vulnerabilities.
Microsoft released 40 security updates affecting various products, and they also republished 9 non-microsoft CVEs. Simply updating your machines might not solve the problem as Adam Barnett pointed out, “While a patch enables the configuration options necessary for protection, administrators must apply changes to UEFI config after patching. The attack surface is not limited to physical assets - Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.” He added that ”All current versions of Windows are vulnerable, and viewing the malicious file via the Preview pane is one route to exploitation; however, successful exploitation requires an attacker to win a race condition and to otherwise prepare the target environment.”
In an email to the CyberWire, CEO of OccamSec Mark Stamford wrote “CVE-2023-29336 and CVE-2023-29325 are probably the biggest concern since they can be utilized remotely. 2023-24932 requires physical access so depending on your threat models, may pose less of a risk (although attacks at this level are extremely “interesting”). 29325 exploits a problem with MS outlook (not o365) which Microsoft helpfully recommends you remedy by reading email in plain text as a workaround, which while nice and old school, is about as likely for the majority of users as them really paying attention to your security awareness training video, so patch that now.” He also added that MS Edge is receiving large amounts of updates which resembles the Internet Explorer days and “the endless slew of vulnerabilities found.”
Tom Marsland, VP of Technology at Cloud Range, weighed in on the matter stating, “While the Secure Boot vulnerability addressed by Microsoft requires the threat actor to either already have administrator-level privileges or physical access to the device, CVE-2023-29336 is a vulnerability already being exploited in the wild. People are already using it to hack into so time is of the essence in applying patches. The release of this collection of patches continues to show the importance of a formal asset tracking and vulnerability management system, including the proper training and staffing to manage it.”
SAP patches 26 vulnerabilities.
SAP released 25 updates and security patches which fixes 26 vulnerabilities which was given a cumulative CVSS value of 9.8. Onapsis reported that “Version 112.0.5615.121 was an emergency security update by Google that fixes a critical vulnerability tracked as CVE-2023-2033. Google confirmed that “an exploit for CVE-2023-2033 exists in the wild”. Based on NIST's description of the flaw, the vulnerability allows "a remote attacker to potentially exploit heap corruption via a crafted HTML page." Onapsis concluded that “With twenty-five new and updated SAP Security Notes, including three HotNews Notes and nine High Priority Notes, SAP’s May Patch Day is a busy one. Special attention should be paid to SAP Note #3307833 since it represents the final fix for five older SAP Security Notes.”
Mozilla fixes 13 vulnerabilities in Firefox 113 and 8 in Firefox ESR.
CISA released a Cyber Advisory Alert stating that Mozilla has released two security advisories, one for Firefox 113, and another for FireFox ESR 102.11. The Firefox 113 advisory reported that 13 vulnerabilities were patched with six being of high impact, five being moderate, and one being of low impact. Firefox ESR fixed eight vulnerabilities five of which were of a high impact, two of moderate impact, and one of low impact.
Adobe fixes 14 vulnerabilities in Substance 3D Painter.
Adobe patched Substance 3D Painter fixing 14 vulnerabilities. Adobe Substance 3D Painter versions 8.3.0 and earlier are vulnerable to various memory leaks and arbitrary code execution attacks and should be updated to version 8.3.1 which fixes these vulnerabilities. As SecurityWeek writes, “There is no indication that these flaws have been exploited in the wild. The priority rating assigned by the company also suggests that they are unlikely to ever be exploited for malicious purposes. All of the vulnerabilities were reported to Adobe by researcher Mat Powell through Trend Micro’s Zero Day Initiative (ZDI).”