Microsoft Patch Tuesday, March 2023 Edition – Krebs on Security
Microsoft Tuesday released updates to remove at least 74 security flaws in its Windows operating systems and software. Two of these bugs are already being actively attacked, including a particularly serious weakness in the Microsoft Outlook which can be exploited without user interaction.
The Outlook vulnerability (CVE-2023-23397) affects all versions of Microsoft Outlook from 2013 to the latest. Microsoft said it has seen evidence of attackers exploiting this flaw, which can be done without any user interaction by sending an email trapped in booby traps that are triggered automatically when retrieved by the email server – before the email even appears in the preview pane.
Although CVE-2023-23397 is labeled as an “Elevation of Privilege” vulnerability, that label does not accurately reflect its severity, said Kevin Breendirector of cyber threat research at Immersive Labs.
Known as an NTLM relay attack, it allows an attacker to obtain someone’s NTLM hash [Windows account password] and use it in an attack often referred to as “Pass The Hash”.
“The vulnerability allows the attacker to effectively authenticate as a trusted person without needing to know the person’s password,” Breen said. “This is on par with an attacker having a valid password accessing an organization’s systems.”
Security company Quick7 points out that this bug affects self-hosted versions of Outlook that Microsoft 365 Apps for Businessbut Microsoft-hosted web services that Microsoft 365 is not vulnerable.
The second zero-day flaw actively exploited in the wild – CVE-2023-24880 – is a “security feature bypass” in Windows SmartScreenpart of Microsoft’s list of endpoint protection tools.
Patch management provider Action 1 notes that exploiting this flaw is low in complexity and requires no special privileges. But it requires some user interaction, and cannot be used to access private information or privileges. However, the flaw could allow other malicious code to run undetected by SmartScreen reputation checks.
Dustin Childshead of threat awareness at Trend Micro’s Zero Day Initiativesaid CVE-2023-24880 allows attackers to create files that will bypass Mark of the Web (MOTW) defenses.
“Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen,” said Childs.
Seven other vulnerabilities Microsoft patched this week received their most severe “critical” severity rating, meaning the updates address vulnerabilities that could be exploited to give an attacker full remote control over a Windows host with little or no user interaction.
Also this week, Adobe released eight patches that address a whopping 105 security holes across a variety of products, including Adobe Photoshop, Cold fusion, Experience manager, Dimension, Trade, Magento, Substance 3D Stager, Cloud Desktop applicationn, and Illustrator.
For a more detailed overview of the updates released today, see the SANS Internet Storm Center summary. If today’s updates cause stability or usability issues in Windows, AskWoody.com will likely take it down.
Please consider backing up your data and/or imaging your system before applying any updates. And please let us know in the comments section if you experience any problems as a result of these updates.
