Microsoft’s March 2023 Patch Tuesday release includes fixes for 76 vulnerabilities in the company’s products, with two listed as being actively exploited, one of which also being listed as publicly known.
The amount of bugs fixed by Microsoft this month is on par with the tech giant’s February security update when it patched 75 vulnerabilities, including three that were being actively exploited.
Also similar in the March 2023 Patch Tuesday release were the number of remote code execution bugs, with 25 listed this month. Last month, there were 35 remote code execution vulnerabilities.
Based on analysis from researchers at Zero Day Initiative, Tenable and other security firms, here’s a look at the more notable vulnerabilities.
CVE-2023-23397 – Microsoft Outlook Spoofing Vulnerability
This bug is getting a lot of attention from security researchers. The bug gets a CVSSv3 score of 9.8 and has been exploited in the wild, which makes this a top priority for IT and security admins this month. The vulnerability is exploited by sending a malicious email to a vulnerable version of Outlook. When the server processes the email, a connection to an attacker-controlled device is established to leak the Net-NTLMv2 hash of the email recipient. This allows the attacker to use the hash to authenticate as the victim recipient in an NTLM relay attack.
According to Microsoft, this can occur before the email is viewed in Preview Pane, so no interaction from the victim is needed for the attack to be successful. Disabling the Preview Pane feature will have no impact.
What makes this even more interesting is that the discovery of this vulnerability is credited to the Computer Emergency Respponse Team of Ukraine and Microsoft researchers. Given what is currently happening in Ukraine, this bug could be significant.
CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the other vulnerability listed as under active attack, but it doesn’t appear to be as severe as the Outlook spoofing bug. This allows attackers to create files that can bypass Mark of the Web protections, rendering features like SmartScreen and Protected View in Microsoft Office useless and allowing threat actors to spread malware via crafted documents and other files.
This is listed as under active attack and could signify how attackers are adapting new methods of delivering malware since Microsoft has taken steps to prevent Office documents from being used for that purpose.
This bug was discovered by Google’s Threat Analysis Group (TAG), which says ransomware groups are using the vulnerability to deliver the magniber ransomware without any security warnings. According to TAG, attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet.
TAG says it has observed over 100,000 downloads of the malicious MSI files since January 2023. Microsoft in December 2022 patched a similar vulnerability after threat actors were exploiting it since September 2022.
CVE-2023-23415 – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
This is a vulnerability in Windows operating systems that also gets a critical CVSSv3 score of 9.8. According to Tenable, the bug lies in the way the operating system handles ICMP packets when an application running on a vulnerable Windows host is bound to a raw socket. An attacker can exploit it by sending a malicious fragmented IP Packet to a vulnerable target.
CVE-2023-23392 – HTTP Protocol Stack Remote Code Execution Vulnerability
Another bug getting attention this month is a CVSS 9.8-rated vulnerability that could allow a remote, unauthenticated attacker to execute code at the SYSTEM level without user interaction. Attackers can send a malicious packet to the target server, but the server must have HTTP/3 enabled and use buffered I/O. However, this is a common configuration for Windows 11 and Windows Server 2022.
There are six other critical-rated bugs patched this month, including vulnerabilities in Windows Cryptographic Services, Hyper-V, Windows Point-to-Point Tunneling Protocol and others.
For more information on the March 2023 Patch Tuesday release, consult Microsoft’s Security Update Guide and analysis from Tenable and Zero Day Initiative.