Microsoft has just released its cumulative security update for March 2023, casually known as Patch Tuesday.
In this month’s fix, the company addressed a total of 83 flaws, including nine critical vulnerabilities and two zero-day flaws that are being actively exploited in the wild.
Breaking the patch down, Microsoft said it addressed 21 elevation of privilege issues, 2 security feature bypass flaws, 27 remote code execution vulnerabilities, 4 denial of service flaws, 10 spoofing flaws, and one Microsoft Edge / Chromium flaw.
Fixing zero-days
But perhaps the most important fixes are two zero-day vulnerabilities: flaws that were previously undisclosed and abused without victims knowing how to address them.
This month’s zero-days include CVE-2023-23397, an elevation of privilege vulnerability found in Outlook, and CVE-2023-24880 -a security feature bypass vulnerability found in Windows SmartScreen.
With the Outlook file, threat actors were creating emails that forced the target endpoint to connect to a remote URL and transmit the Windows account’s Net-NTLMv2 hash.
“External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control,” Microsoft explained.
“This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.” The company added, saying that a known threat actor STRONTIUM was abusing this flaw.
The second zero-day, found in Windows SmartScreen, allowed hackers to bypass the Windows Mark of the Web warning. When a file is downloaded from the internet, it gets a “mark of the web” signaling that it might potentially be malicious.
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.
- Check out the best web browsers