Source: heimdalsecurity.com – Author: Vladimir Unterfingher
Heimdal® returns with yet another rendition of its monthly Patch Tuesday updates. Our May edition includes security releases for vulnerabilities that impact Microsoft’s Chromium-based Edge browser. In total, 11 fixes have launched, each tackling a different operational area. Enjoy and don’t forget to subscribe to Heimdal®’s newsletter for more goodies.
Path Tuesday May 2023 – Highlights
We’ll kickstart May’s list of security patches with CVE-2023-29354 aka the Microsoft Edge (Chromium-based) Security Feature Bypass vulnerability. According to Microsoft’s records, a threat actor leveraging the above-mentioned vulnerability can potentially circumvent the Pop-up blocker and/or CSP (i.e., Content Security Policy) by having the user interact with a fabricated URL. Despite the defect being exploitable, the attacker cannot commit any modifications to the browser’s contents. However, CVE-2023-29354, used in conjunction with other TTPs can lead to an Iframe sandbox escape, according to the same source. The defect was marked as fixed, with a patch available on Microsoft’s official website.
The second contender on May’s Patch Tuesday list is CVE-2023-29350, a Microsoft Edge (Chromium-based) Elevation of Privilege vulnerability. With a Max Severity score of “Important” and a CVSS 3.1.7.5 score of 6.5, this vulnerability can potentially allow a threat actor to obtain higher machine privileges by passing the user a crafted URL. If leveraged successfully, CVE-2023-29350 can lead to full browser compromise. The vulnerability has received an official fix as part of Microsoft’s May Patch Tuesday bout.
Check out the full list of patched bugs.
| Release Date |
CVE Number |
CVE Title |
|---|---|---|
| 5-May-23 |
CVE-2023-29354 |
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| 5-May-23 |
CVE-2023-29350 |
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| 5-May-23 |
CVE-2023-2468 |
Chromium: CVE-2023-2468 Inappropriate implementation in PictureInPicture |
| 5-May-23 |
CVE-2023-2467 |
Chromium: CVE-2023-2467 Inappropriate implementation in Prompts |
| 5-May-23 |
CVE-2023-2466 |
Chromium: CVE-2023-2466 Inappropriate implementation in Prompts |
| 5-May-23 |
CVE-2023-2465 |
Chromium: CVE-2023-2465 Inappropriate implementation in CORS |
| 5-May-23 |
CVE-2023-2464 |
Chromium: CVE-2023-2464 Inappropriate implementation in PictureInPicture |
| 5-May-23 |
CVE-2023-2463 |
Chromium: CVE-2023-2463 Inappropriate implementation in Full Screen Mode |
| 5-May-23 |
CVE-2023-2462 |
Chromium: CVE-2023-2462 Inappropriate implementation in Prompts |
| 5-May-23 |
CVE-2023-2460 |
Chromium: CVE-2023-2460 Insufficient validation of untrusted input in Extensions |
| 5-May-23 |
CVE-2023-2459 |
Chromium: CVE-2023-2459 Inappropriate implementation in Prompts |
More Cybersecurity Advice
This wraps up the May edition of our Patch Tuesday updates. Since no patching article should be without advice, here are a couple of things you can try out to reinforce your threat defenses and jog up your vulnerability & patch management game.
Revert to previous builds/versions.
Patching is a trial-and-error process, which means something’s bound to happen at any point in time (e.g., unexpected patch failure, connectivity issues, no mobile control, insufficient privileges, failure to meet regulatory compliance standards, etc.). Ensure that your backups are viable in case you to revert the app(s) to a previous version and/or build.
Continuous vulnerability scanning.
Don’t forget to work up a functional vulnerability scanning schedule. The best practice dictates that scanning should occur at least once per month. Don’t forget about documenting your findings.
Automatic patching.
Smaller organizations tend to rely on manual patching in order to deploy all relevant improvement-carrying packages. However, things tend to change a bit when you’re in the shoes of an IT admin catering to the needs of hundreds of users. The best way around this issue is, of course, automatic patching. If configured correctly, an automatic patching solution can ensure timely (and correct) deployment and a low risk of incompatibility. Heimdal®’s Patch & Asset Management can aid you in quickly distributing your patches, regardless if they are OS-specific, 3rd party, proprietary, or UX/UI-oriented.
Planning and beyond. If you’re managing a team, consider drafting up a list of patching protocols. Include dates, times, Operating Systems, tests, and everything you can think of. Don’t forget to scribble down any modifications made to the software.
Conclusion
This wraps up the May edition of Heimdal®’s Patch Tuesday series. Hope you’ve enjoyed it. As always, stay safe, patch your heart out, and keep away from suspicious websites.
- Patch Tuesday, April 2023.
- Heimdal® Cyber Threat Report 2023
- Heimdal® Announces Revolutionary Cybersecurity Platform
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
Original Post URL: https://heimdalsecurity.com/blog/patch-tuesday-may-2023/
Category & Tags: Patch Tuesday Updates – Patch Tuesday Updates
