Two zero-days addressed in March 2023 Patch Tuesday
Special attention called to Outlook issue under attack now
Microsoft has released its March 2023 Patch Tuesday update, resolving several security vulnerabilities found in its products.
Two of the 80 CVEs resolved this month are zero-days, both actively exploited in attacks.
Nine vulnerabilities fixed are classified as 'Critical' in severity as they enable attackers to carry out remote code execution (RCE), elevation of privilege (EoP), or denial of service (DoS) attacks.
In all, the March security update includes patches for 27 RCE vulnerabilities, 21 EoP bugs, 15 information disclosure bugs, 10 spoofing bugs, four DoS vulnerabilities, two security feature bypass vulnerabilities, and one flaw in Chromium-based Edge.
Additionally, the company has expanded the coverage of four previously released CVEs to include additional versions of Windows.
Actively exploited
There are two vulnerabilities that are currently being actively attacked. One of these is a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397), and the other involves bypass of the Windows SmartScreen security feature (CVE-2023-24880).
CVE-2023-23397, with CVSS score of 9.8, enables malicious actors to use specially crafted emails to force a target device to connect to a remote URL and send the Net-NTLMv2 hash of the Windows account.
"External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim," Microsoft said in its advisory.
The company cautions that this flaw can be triggered without the need for the email to be opened in the preview pane, as the vulnerability is activated automatically during retrieval and processing by the email server.
Bleeping Computer reported that a private threat analytics report from Microsoft indicated that STRONTIUM, a state-sponsored Russian hacking group, had exploited CVE-2023-23397. By exploiting this vulnerability, the threat actors were able to obtain the NTLM hashes of their targets and use them to breach their networks, from where they stole emails belonging to specific accounts.
Microsoft acknowledged the Ukrainian CERT organisation and its own MSTI threat intelligence group for uncovering CVE-2023-23397.
In addition, Microsoft has identified a second vulnerability, CVE-2023-24880, that requires immediate attention, as attackers are still actively bypassing its SmartScreen security feature.
CVE-2023-24880 could be used to evade the Mark-of-the-Web (MotW) protections when opening untrusted files downloaded from the internet, the company said.
This vulnerability is a result of a narrow patch that Microsoft released to address a different SmartScreen bypass bug (CVE-2022-44698) discovered last year.
"This CVE affects all currently supported versions of the Windows OS. The CVSSv3.1 score is only 5.4, which may avoid notice by many organizations and on its own this CVE may not be all that threatening, but it was likely used in an attack chain with additional exploits." said Chris Goettl, VP of Security Products at Ivanti.
This month's security update has also addressed several critical RCE vulnerabilities affecting the HTTP Protocol Stack (CVE-2023-23392), the Internet Control Message Protocol (CVE-2023-23415), and the Remote Procedure Call Runtime (CVE-2023-21708).
Furthermore, the security update includes fixes for four EoP vulnerabilities found in the Windows Kernel, 10 RCE flaws affecting Microsoft PostScript and PCL6 Class Printer Driver, and a WebView2 spoofing vulnerability discovered in the Edge browser.