patch tuesday jeans

May 10, 2023

Patch Tuesday Update - May 2023

The Derby has been run, summer is nearly here, and the flowers are blooming… but so are the Microsoft security vulnerabilities. So, time to grab your shears and tend your infrastructure garden by addressing this month’s Patch Tuesday issues. 

This month, Microsoft announced fixes for 38 new CVEs including 6 Microsoft-rated critical vulnerabilities, 2 new zero-day vulnerabilities (CVE-2023-29344 & CVE-2023-29333), 1 update to a previously reported exploitable vulnerability (CVE-2013-3900) as well as 12 other updates to previously released CVEs.

Of the 38 new vulnerabilities, the fix sources break down as follows:

  • Number of Knowledgebase (KB) fixes – 30 
  • Number of Clicks to run updates – 1
  • Number of Vulnerabilities with release notes associated with them – 3
  • Updates available from the Microsoft App Store – 3  
  • Vulnerabilities with no fix published as of this writing – 1 (CVE-2023-29344)

The headline issues this month are the two new known exploitable zero-day CVEs:

  • CVE-2023-29344 – Microsoft Office Remote Code Execution Vulnerability
  • CVE-2023-29333 – Microsoft Access Denial of Service Vulnerability

Breaking down the 38 vulnerabilities further by impact type, we can see that remote code execution leads the way again this month with elevation of privileges and information disclosure tied right behind it.

Breakdown of CVEs by impact type
Breakdown of CVEs by impact type

Furthermore, as can be seen below, these vulnerabilities vary in terms of how likely they are to be exploited, with 26% of the vulnerabilities this month either already exploited or highly likely to be exploited as ranked by the Microsoft Exploitability Index

Breakdown of CVEs by exploit likelihood
Breakdown of CVEs by exploit likelihood

As always, Balbix can identify all affected assets within hours of release. There are no scans to run. Balbix customers simply search for the CVE name in their Balbix dashboard to view the list of affected assets. Filtered search functionality can also be used to search for the CVE by site, subnet, location, or other distinguishing factors.