This Patch Tuesday, Microsoft has fixed a total of 74 vulnerabilities, nearly the same as last month’s release. More critical updates were addressed as well, with a total of 9 critical fixes compared to 6 in February. This month, there are also two zero-day vulnerabilities that have been fixed, similar to last month’s updates. Notably, one of these zero-days has been publicly disclosed, with a proof-of-concept available on the darknet.
Microsoft Outlook Elevation of Privilege Vulnerability
Microsoft has identified a new security vulnerability, called CVE-2023-23397, in Microsoft Outlook that allows attackers to elevate their privileges. This vulnerability is considered a zero-day vulnerability and affects all versions of Microsoft Outlook from 2013 onwards. The risk score for this vulnerability is high, with a score of 9.8, and Microsoft has confirmed that it is already being exploited in the wild. However, the proof of concept has not yet been publicly disclosed.
The attack can be executed without any user interaction by sending a specially crafted email which triggers automatically when retrieved by the email server. This can lead to exploitation before the email is even viewed in the Preview Pane. If exploited successfully, an attacker can access a user’s Net-NTLMv2 hash, which can be used to execute a pass-the-hash attack on another service and authenticate as the user.
To mitigate the risk, Microsoft recommends updating to the latest version of Outlook. If updating is not feasible, adding privileged users such as Domain Admins to the Protected Users Security Group can help prevent the use of NTLM as an authentication mechanism. Blocking TCP 445/SMB outbound from your network via perimeter firewalls, local firewalls, and VPN settings can also help prevent the sending of NTLM authentication messages to remote file shares.
However, the best course of action is to install the Microsoft update on all systems after testing it in a controlled environment.
Windows SmartScreen Security Feature Bypass Vulnerability
A new vulnerability, CVE-2023-24880, has been discovered in the Windows SmartScreen security feature. This vulnerability allows malicious code to bypass the SmartScreen technology, even in cases where it is used to protect against threats such as Protected View in Microsoft Office. The exploit is low in complexity and uses a network vector, requiring no special privileges, but it does require some user interaction. While the vulnerability has a moderate CVSS risk score of 5.4, it cannot be used to gain access to private information or privileges. However, it can allow other malicious code to run without being detected by SmartScreen reputation checks.
It is important to note that Microsoft has confirmed this vulnerability is being exploited in the wild, with proof of concept examples available in the dark net. The best way to mitigate the risk posed by this vulnerability is to install the latest update from Microsoft on all systems, after testing it in a controlled environment.
Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
A critical security flaw, CVE-2023-23415, has been found in the Internet Control Message Protocol (ICMP). This vulnerability exploits the ICMP protocol, which is used by commands like “ping”. An attacker can use this weakness to send a low-level protocol error, containing a fragmented IP packet within another ICMP packet header, to the target machine. To activate the flaw, an application on the target must be connected to a raw socket. This vulnerability could result in remote code execution. The attack is easy to execute and does not require any privileges or user interaction, making it a significant threat with a critical CVSS risk score of 9.8. While Microsoft believes that exploitation is possible, there is currently no evidence of it. The best way to mitigate this risk is to install the Microsoft update on all systems after testing it in a controlled environment.
HTTP Protocol Stack Remote Code Execution Vulnerability
A critical vulnerability in a protocol has been identified as CVE-2023-23392, which affects the HTTP Protocol Stack. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted packet to a targeted server that utilizes the HTTP Protocol Stack (http.sys) to process packets. This can lead to remote code execution, posing a significant security risk.
The vulnerability affects Windows Server 2022 and Windows 11, and has a low complexity attack vector that requires no privileges or user interaction. The CVSS risk score for this vulnerability is 9.8, indicating a critical level of risk. While there is no evidence of exploitation yet, it is highly likely to occur.
To mitigate this risk, Microsoft recommends installing the latest update on all systems, following proper testing in a controlled environment. It’s crucial to take this step to ensure the safety and security of your systems.