Microsoft Patch Tuesday – 14/3/23

Another month rolls by and another Patch Tuesday to keep up with. All the excitement of updating your systems, with a slight worry of crashing the entire network to keep the spice in your life! What else could sysadmins and cybersecurity teams ask for? Here’s our breakdown of the events as we saw them earlier this week.

Microsoft Patch Tuesday

What’s been updated this Patch Tuesday?

Let’s get down to the raw numbers.

We have a total of 80 vulnerabilities patched this month, meaning that there is a heavy workload for people who are testing out their systems before rollout. However, the severity of the update has been reduced from nine critical flaws that were addressed last month to only six. Not a bad number to work with.

Two zero-day vulnerabilities (including one that had already been leaked out into the dark web) have been addressed during this update. Xavier Bellekens went on record to state:

In this month’s Patch Tuesday update, Microsoft is releasing fixes for two very dangerous Zero Days that are actively being exploited by adversaries. These Zero Days are unique as they can easily be automated for mass scanning and exploitation.”

Source: Spiceworks

From this large selection of vulnerabilities, we can also find the following breakdown of vulnerability types:

  • 26 remote code execution vulnerabilities
  • 21 elevation of privilege vulnerabilities
  • 15 information disclosure vulnerabilities
  • 6 spoofing vulnerabilities
  • 5 cross-site scripting vulnerabilities
  • 4 denial of service vulnerabilities
  • 3 security feature bypass vulnerabilities

Scary stuff!

But we thought we’d take a little look at how serious these zero-day vulnerabilities actually were (spoiler: very!)

Patch Tuesday Zero Day #1: CVE-2023-23397

CVE-2023-23397 is a critical elevation of privilege (EoP) vulnerability in Microsoft Outlook, with a CVSS score of 9.8. The vulnerability could be exploited by an attacker without any user interaction by sending a specially crafted email that triggers automatically when retrieved by the email server. If successfully exploited, the attacker could access a user’s Net-NTLMv2 hash and execute a pass-the-hash attack on another service and authenticate as the user. The vulnerability affects all versions of Outlook from 2013 onwards and is actively being exploited.

To avoid system compromise through CVE-2023-23397, users are advised to update their Outlook to the latest version. If updating is not feasible, Microsoft has recommended two mitigation measures. One is to add privileged users, such as Domain Admins, to the Protected Users Security Group to prevent the use of NTLM as an authentication mechanism. The other is to block TCP 445/SMB outbound from the network through perimeter firewalls, local firewalls, and VPN settings to prevent the sending of NTLM authentication messages to remote file shares. Users are strongly advised to take immediate action to protect their systems from this critical vulnerability.

Patch Tuesday Zero Day #2: CVE-2023-24880

CVE-2023-24880 is a zero-day vulnerability patched by Microsoft in March 2023. It is an SFB flaw existing in Windows SmartScreen, with a CVSS score of 5.4 and requiring user interaction. The vulnerability does not provide access to private information or privileges, but it can allow malicious code to run undetected by SmartScreen reputation checks. The exploitation proof of concept for this vulnerability is publicly available, making it concerning.

CVE-2023-24880 impacts all Windows desktops from Windows 10 onwards and Windows Server editions 2016, 2019, and 2022. The vulnerability bypasses the Microsoft Mark of the Web (MOTW) security feature, which creates a zone identifier Alternate Data Stream (ADS) to prevent users from accessing malicious files from the internet. Attackers can craft a malicious file to bypass MOTW, resulting in a loss of device integrity and availability of security features in Microsoft Office, such as Protected view, which relies on MOTW tags.

Users are advised to update their Windows systems to the latest version to mitigate the risk of exploitation through CVE-2023-24880.

With that in mind, get your systems updated and take care!

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.