{"id":88477,"date":"2023-03-15T08:00:00","date_gmt":"2023-03-15T08:00:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=88477"},"modified":"2023-03-15T08:00:00","modified_gmt":"2023-03-15T08:00:00","slug":"microsoft-patches-outlook-zero-day-for-march-patch-tuesday","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=88477","title":{"rendered":"Microsoft patches Outlook zero-day for March Patch Tuesday"},"content":{"rendered":"
<\/div>\n

Microsoft has issued patches for two zero-day vulnerabilities among a total of just over 80 bugs addressed in its monthly Patch Tuesday update<\/a>.<\/p>\n

The number of issues, which includes four CVEs that were assigned by Github, is roughly on par with the disclosure volumes seen in the first two months of the year, with another heavy slant towards remote code execution (RCE) issues.<\/p>\n

\u201cMicrosoft has resolved 80 new CVEs this month and expanded four previously released CVEs to include additional Windows versions,\u201d said Ivanti<\/a> vice-president of security products Chris Goettl. \u201cThis brings the total number of CVEs addressed this month to 84. There are two confirmed zero-day exploits resolved in this month\u2019s updates that impact Microsoft Office and Windows Smart Screen. Both exploits are user-targeted. There are a total of nine CVEs rated as critical this month. Eight of the nine critical CVEs are in the Windows OS update this month.\u201d<\/p>\n

Tracked as CVE-2023-23397<\/a>, the Outlook<\/a> vulnerability is being exploited but has not been made public until now. It carries a CVSS score of 9.1 and is of important severity. It\u2019s an elevation of privilege (EoP) vulnerability that can be exploited by sending an email to a potential target.<\/p>\n

It\u2019s triggered on the email server side, which means it can be exploited before the email is actually opened and viewed. Successfully exploited, it lets an unauthenticated actor access the victim\u2019s Net-NTLMv2 hash and use it to authenticate as the victim, bypassing authentication measures.<\/p>\n

Kev Breen, Immersive Labs<\/a> director of cyber threat research, said CVE-2023-23397 was particularly dangerous, and additionally noted that its assigned status as an EoP bug did not entirely accurately reflect this.<\/p>\n

\u201cKnown as an NTLM relay attack, it allows an attacker to get someone\u2019s NTLM hash and use it in an attack commonly known as Pass the Hash,\u201d he said. \u201cThe vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person\u2019s password. This is on par with an attacker having a valid password with access to an organisation\u2019s systems.\u201d<\/p>\n

Its discovery is credited to Microsoft\u2019s Incident Response and Threat Intelligence teams working alongside Ukraine\u2019s national CERT<\/a>, which implies it\u2019s being exploited by Russian state actors in their ongoing cyber war campaign<\/a>.<\/p>\n

Rapid7<\/a> lead software engineer Adam Barnett said: \u201cMicrosoft has detected in-the-wild exploitation by a Russia-based threat actor targeting government, military and critical infrastructure targets in Europe. Given the network attack vector, the ubiquity of SMB shares and the lack of user interaction required, an attacker with a suitable existing foothold on a network may well consider this vulnerability a prime candidate for lateral movement.\u201d<\/p>\n

The second zero-day is tracked as CVE-2023-24880<\/a>. It\u2019s public, and known to have been exploited in the wild. A security feature bypass vulnerability in the Windows SmartScreen<\/a> anti-phishing and anti-malware service, it carries a CVSS score of 5.4 and is of moderate severity.<\/p>\n

Left unaddressed, CVE-2023-24880 allows an attacker to create a file that bypasses the Mark of the Web defence, making it much easier for them to spread tainted documents and malware that SmartScreen might otherwise spot.<\/p>\n

Breen said that even though it carries a less severe rating, defenders should still prioritise fixing it. \u201cThe notes from Microsoft say that an attacker can craft a malicious file that would disable some security features like \u2018protected view\u2019 in Microsoft Office,\u201d he said.<\/p>\n

\u201cMacro-based malware is still frequently seen as part of initial compromises, and users have grown accustomed to these prompts protecting them from dangerous files,\u201d added Breen. \u201cProtected View and Mark of the Web should be part of your defence in depth strategy and not a single layer of protection.\u201d<\/p>\n

Its discovery is credited to the Google Threat Analysis Group\u2019s Benoit Sevens and Vlad Stolyarov, and Microsoft\u2019s Bill Demirkapi.<\/p>\n

\n

<\/i>Critical vulnerabilities<\/h3>\n

The critical vulnerabilities listed in the March update are as follows:<\/p>\n

Of these, Gal Sadeh, head of data and security research at Silverfort<\/a>, said CVE-2023-21708 and CVE-2023-23415 were particularly noteworthy.<\/p>\n

\u201cA critical RCE vulnerability in Remote Procedure Call Runtime, CVE-2023-21708, should be a priority for security teams as it allows unauthenticated attackers to run remote commands on a target machine,\u201d he said. \u201cThreat actors could use this to attack Domain Controllers, which are open by default. To mitigate, we recommend Domain Controllers only allow RPC from authorised networks and RPC traffic to unnecessary endpoints and servers is limited.<\/p>\n

\u201cAnother critical vulnerability, CVE-2023-23415, poses a serious risk as it allows attackers to exploit a flaw in Internet Control Message Protocol \u2013 which is often not restricted by firewalls \u2013 to gain remote code execution on exposed servers using a malicious packet. Requiring the targeting of a raw socket \u2013 any organisation using such infrastructure should either patch, or block ICMP packets at the firewall,\u201d said Sadeh.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

Microsoft has issued patches for two zero-day vulnerabilities among a total of just over 80 bugs addressed in its monthly Patch Tuesday update. The number of issues, which includes four CVEs that were assigned by Github, is roughly on par with the disclosure volumes seen in the first two months of the year, with another […]<\/p>\n","protected":false},"author":1,"featured_media":88478,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-88477","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88477"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88477\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/88478"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}