Microsoft’s 2023 Patch Tuesday Fixes Two Actively Exploited Zero-Days

Microsoft’s March Patch Tuesday provided fixes for a total of 83 vulnerabilities, including two actively exploited zero-days. Here’s what you need to know.

What is the situation?

Out of the 83 vulnerabilities, nine of them have been classified as “Critical” and allow remote code execution (RCE), denial of service (DoS) or an attacker to elevate privileges.

The two patched zero-day vulnerabilities are as follows:

CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

This vulnerability is described as a privilege elevation that uses a specially crafted email. It triggers automatically when it is retrieved and processed by the Outlook client, requiring no user interaction. Microsoft further says this can lead to exploitation before the email is viewed in the preview pane. If executed successfully, this forces a victim’s device to connect to a remote URL and send the Windows account’s Net-NTLMv2 hash.

Further reporting states that abuse of this vulnerability has already been attributed to APT28 (FancyBear), a Russian state-sponsored advanced persistent threat group.

CVE-2023-23397 affects all supported versions of Microsoft Outlook for Windows, but does not affect Outlook for Android, iOS or macOS versions. Additionally, the web client version of Outlook is not affected.

Microsoft has released a PowerShell script that will allow admins to check if any users within their Exchange environment have been targeted with this vulnerability.

CVE-2023-24880: Windows SmartScreen Security Feature Bypass Vulnerability

Microsoft’s other actively exploited zero-day involves a vulnerability in Windows SmartScreen allowing executables to be created that bypass the Windows Mark of the Web (MOTW) security warning. Bypassing MOTW can result in security features like protected view to improperly function, as they rely on MOTW tagging to properly operate.

Researchers have attributed abuse of this vulnerability to Magniber Ransomware, which allowed the group to deploy payloads bypassing the Windows SmartScreen cloud-based anti-malware service.

What is Nuspire doing?

Nuspire applies patches when released in accordance with vendor recommendations.

What should I do?

Organizations should review the March 2023 security updates as provided by Microsoft and apply patches as soon as possible to affected systems, prioritizing by criticality.

  • Patching should be focused on the two actively exploited vulnerabilities as described above.
  • Reviewing individual CVEs from Microsoft will also provide workaround/mitigations if immediate patching isn’t possible.

Have you registered for our next event?