Microsoft has launched an non-obligatory repair to deal with a Kernel info disclosure vulnerability affecting techniques operating a number of Home windows variations, together with the most recent Home windows 10, Home windows Server, and Home windows 11 releases.
Whereas it has a medium severity vary CVSS base rating of 4.7/10, Redmond has tagged this safety flaw (CVE-2023-32019) as vital severity.
Reported by Google Undertaking Zero safety researcher Mateusz Jurczyk, the bug lets authenticated attackers entry the heap reminiscence of privileged processes operating on unpatched units.
Whereas profitable exploitation would not require risk actors to have administrator or different elevated privileges, it does rely on their means to coordinate their assaults with one other privileged course of run by one other consumer on the focused system.
What makes the CVE-2023-32019 patch stand out from different safety updates issued as a part of the June 2023 Patch Tuesday is that it is disabled by default, even after making use of this week’s updates.
As Microsoft explains in a help doc, it’s essential to make a registry change on weak Home windows techniques to allow the repair.
“To mitigate the vulnerability related to CVE-2023-32019, set up the June 2023 Home windows replace or a later Home windows replace,” Microsoft says.
“By default, the repair for this vulnerability is disabled. To allow the repair, it’s essential to set a registry key worth based mostly in your Home windows working system.”
Whereas Microsoft did not present further particulars on why this repair is turned off by default, a spokesperson advised BleepingComputer that “the replace needs to be enabled by default in a future launch.”
Nevertheless, it is unclear if enabling the repair might trigger points within the working system, so it could be safer to check it on a number of machines earlier than performing a large deployment.
The best way to allow the CVE-2023-32019 repair
Relying on the Home windows model operating in your gadget, you’ll have to add the next below the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides registry key:
- Home windows 10 20H2, 21H2, 22H2: Add a brand new DWORD registry worth named 4103588492 with a worth information of 1
- Home windows 11 21H2: Add a brand new DWORD registry worth named 4204251788 with a worth information of 1
- Home windows 11 22H2: Add a brand new DWORD registry worth named 4237806220 with a worth information of 1
- Home windows Server 2022: Add a brand new DWORD registry worth named 4137142924 with a worth information of 1
On Home windows 10 1607 and Home windows 10 1809, you’ll have to add a brand new DWORD registry worth named ‘LazyRetryOnCommitFailure’ with a valued information of 0 below the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerConfiguration Supervisor registry key.
This isn’t the primary time the corporate has issued an non-obligatory repair for a Home windows safety vulnerability.
Simply final month, Microsoft stated {that a} patch addressing the CVE-2023-24932 Safe Boot bug exploited by BlackLotus UEFI malware as a zero-day required further guide steps in addition to putting in the safety replace to take away the assault vector.
As defined on the time, Redmond is taking a phased method to implement the CVE-2023-24932 protections to cut back buyer impression.
Nevertheless, it is unclear if enabling the function might trigger points within the working system, so it could be most secure to check it on a number of machines earlier than performing a large deployment.
Microsoft additionally warned that there isn’t a approach to revert the adjustments as soon as CVE-2023-24932 mitigations are absolutely deployed and enabled on a system.