Windows

Microsoft has released an optional fix to address a Kernel information disclosure vulnerability affecting systems running multiple Windows versions, including the latest Windows 10, Windows Server, and Windows 11 releases.

While it has a medium severity range CVSS base score of 4.7/10, Redmond has tagged this security flaw (CVE-2023-32019) as important severity.

Reported by Google Project Zero security researcher Mateusz Jurczyk, the bug lets authenticated attackers access the heap memory of privileged processes running on unpatched devices.

While successful exploitation doesn't require threat actors to have administrator or other elevated privileges, it does depend on their ability to coordinate their attacks with another privileged process run by another user on the targeted system.

What makes the CVE-2023-32019 patch stand out from other security updates issued as part of the June 2023 Patch Tuesday is that it's disabled by default, even after applying this week's updates.

As Microsoft explains in a support document, you must make a registry change on vulnerable Windows systems to enable the fix.

"To mitigate the vulnerability associated with CVE-2023-32019, install the June 2023 Windows update or a later Windows update," Microsoft says.

"By default, the fix for this vulnerability is disabled. To enable the fix, you must set a registry key value based on your Windows operating system."

While Microsoft didn't provide additional details on why this fix is turned off by default, a spokesperson told BleepingComputer that "the update should be enabled by default in a future release."

However, it's unclear if enabling the fix may cause issues in the operating system, so it may be safer to test it on a few machines before performing a wide deployment.

How to enable the CVE-2023-32019 fix

Depending on the Windows version running on your device, you will have to add the following under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides registry key:

  • Windows 10 20H2, 21H2, 22H2: Add a new DWORD registry value named 4103588492 with a value data of 1
  • Windows 11 21H2: Add a new DWORD registry value named 4204251788 with a value data of 1
  • Windows 11 22H2: Add a new DWORD registry value named 4237806220 with a value data of 1
  • Windows Server 2022: Add a new DWORD registry value named 4137142924 with a value data of 1

On Windows 10 1607 and Windows 10 1809, you will have to add a new DWORD registry value named 'LazyRetryOnCommitFailure' with a valued data of 0 under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager registry key.

This is not the first time the company has issued an optional fix for a Windows security vulnerability.

Just last month, Microsoft said that a patch addressing the CVE-2023-24932 Secure Boot bug exploited by BlackLotus UEFI malware as a zero-day required additional manual steps besides installing the security update to remove the attack vector.

As explained at the time, Redmond is taking a phased approach to enforce the CVE-2023-24932 protections to reduce customer impact.

However, it's unclear if enabling the feature may cause issues in the operating system, so it may be safest to test it on a few machines before performing a wide deployment.

Microsoft also warned that there is no way to revert the changes once CVE-2023-24932 mitigations are fully deployed and enabled on a system.


Update June 16, 10:30 EDT: Microsoft says in an update to the CVE-2023-24932 guidance that the fix requires manual activation because it introduces a “potential breaking change.” However, they did not share any information on what it breaks.  

"The resolution described in this article introduces a potential breaking change. Therefore, we are releasing the change disabled by default with the option to enable it," Microsoft says.

"In a future release, this resolution will be enabled by default. We recommend that you validate this resolution in your environment. Then, as soon as it is validated, enable the resolution as soon as possible."

Related Articles:

Microsoft June 2024 Patch Tuesday fixes 51 flaws, 18 RCEs

Windows 11 KB5039212 update released with 37 changes, fixes

Microsoft: Windows Server 2019 updates fail with 0x800f0982 errors

Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws

Google Chrome to let Isolated Web App access sensitive USB devices