It's that time of the month again: We’re looking at May’s Patch Tuesday roundup. Microsoft has released its monthly update, and while the total number of patched vulnerabilities is relatively low at 38, among them are three zero-day vulnerabilities.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. Of the three included in this month's update cycle, two have been found to be actively exploited and the third has been publicly disclosed.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three zero-days are listed as:
Another vulnerability to keep an eye on is an RCE vulnerability with a CVSS score of 9.8 out of 10. Listed as CVE-2023-24941 this is a Windows Network File System (NFS) RCE vulnerability which can be exploited over the network by making an unauthenticated, specially crafted request. This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation. More information about how to do this and when not to can be found in the Microsoft advisory about this vulnerability under Mitigation.
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
Apple released an update addressing two actively exploited zero-day flaws.
Cisco released security updates.
Google has released Android updates.
Mozilla releases security advisories for Firefox 113 and Firefox ESR 102.11.
SAP released patch day updates.
VMWare fixed four vulnerabilities in virtualization software.
Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.