Microsoft March 2023 Patch Tuesday: 2 Zero-Day Flaws Fixed
Microsoft on Tuesday released 80 targeted fixes for its monthly security update, including fixes for two flaws that are currently being exploited.
This month's top concern for IT is CVE-2023-23397, an elevation of privilege vulnerability in all supported versions of Microsoft Outlook. Microsoft warns that attackers are able to access a user's Net-NTLMv2 hash, allowing for an NTLM Relay attack to spoof authentication from a third party service. What makes this flaw so concerning is that exploitation can be achieved with no user interaction.
Dustin Childs, security expert at Zero Day Initiative, said that gone unpatched, it's very hard for users to avoid exploitation. "Before you ask about the Preview Pane, know that this bug hits before the email is even viewed by the Preview Pane, so disabling that feature has no impact," said Childs in a blog post. "No information is provided regarding how widespread these attacks may be, but definitely test and deploy this fix quickly."
Once patched, the next item to consider is the second zero-day flaw, CVE-2023-24880, a security feature bypass vulnerability in Windows SmartScreen. According to Microsoft, "an attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses," which could disable or circumnavigate some security features, like Protected View in Microsoft Office.
This fix will affect all supported versions of Windows OS. Despite the low Common Vulnerability Scoring System (CVSS) score of 5.4, Microsoft warns that this attack has been seen chained with other attacks to further compromise users.
What's noteworthy about this month's fix is that the exploits seen in the wild are bypassing a previous fix from December 2022 `` that addressed the same issue.
Researchers at Google’s Threat Analysis Group have been acknowledged with disclosure of this flaw. In a follow-up report by the group, security expert Benoit Sevens said that the recent troubles Microsoft has had with Smart Screen is indicative of poor patching practices.
"This security bypass is an example of a larger trend Project Zero has highlighted previously: vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants," wrote Sevens. "When patching a security issue, there is tension between a localized, reliable fix, and a potentially harder fix of the underlying root cause issue."
Microsoft's March security update also features the following eight bulletin items rated critical (highest risk classification):
- CVE-2023-23392: Remote code execution vulnerability in HTTP Protocol Stack.
- CVE-2023-23415: Remote code execution vulnerability in the Internet Control Message Protocol (ICMP).
- CVE-2023-21708: Remote code execution vulnerability in the Remote Procedure Call (RPC) runtime.
- CVE-2023-23416: Remote code execution vulnerability in Windows Cryptographic Services.
- CVE-2023-23411: Denial of service vulnerability in Windows Hyper V.
- CVE-2023-23404: Remote code execution vulnerability in Windows point-to-point tunneling protocol.
- CVE-2023-1017: Elevation of privilege flaw in TPM2.0 module library.
- CVE-2023-1018: Elevation of privilege flaw in TPM2.0 module library.
March's full list of 80 bulletins can be found here.