March Patch Tuesday review.
N2K logoMar 15, 2023

Microsoft Outlook zero-day exploited by Russia’s GRU.

March Patch Tuesday review.

Yesterday was Patch Tuesday, and Microsoft has issued fixes for two flaws that are being actively exploited in the wild.

Microsoft patches two zero-days.

Microsoft issued a total of eighty patches, eight of which are classed as critical. One of these, CVE-2023-23397, is an elevation-of-privilege bug affecting Microsoft Outlook that’s currently being exploited by attackers. Microsoft states, “An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user....The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”

BleepingComputer cites a private report from Microsoft as stating that Russia’s APT28 (also known as Fancy Bear, an arm of the GRU) has been exploiting CVE-2023-23397 since at least April 2022 to target European “government, military, energy, and transportation organizations.” Microsoft has credited Ukraine’s CERT-UA for the discovery of the vulnerability.

Another actively exploited bug, CVE-2023-24880, is a security feature bypass vulnerability impacting Windows SmartScreen. Microsoft says “[an] attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.”

Google’s Threat Analysis Group (TAG) says CVE-2023-24880 is being used by the Magniber ransomware gang: “The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet.”

Other patches.

Adobe has issued 106 patches for a variety of its products. SecurityWeek notes that Adobe says one of these vulnerabilities (CVE-2023-26360) “has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.”

And Firefox has patched eleven security bugs with version 111.0, Naked Security reports.

Industry comments.

Adam Barnett, Lead Software Engineer at Rapid7, offered the following observations on Microsoft's patches:

"Current self-hosted versions of Outlook – including Microsoft 365 Apps for Enterprise – are vulnerable to CVE-2023-23397, but Microsoft-hosted online services (e.g., Microsoft 365) are not vulnerable.

"The other zero-day this month, CVE-2023-24880, describes a Security Feature Bypass in Windows SmartScreen, which is part of Microsoft’s slate of endpoint protection offerings. A specially-crafted file could evade Mark of the Web defenses and thus avoid the enhanced scrutiny usually applied to files downloaded from the internet. Although Microsoft has detected in-the-wild exploitation, and functional exploit code is publicly available, Microsoft has marked this one as only Moderate severity, and assessed it with a relatively low CVSSv3 of 5.4; the low impact ratings and requirement for user interaction contribute to the lower scoring. Only more recent versions of Windows are affected: Windows 10 and 11, as well as Server 2016 onwards.

"A further five critical Remote Code Execution (RCE) vulnerabilities are patched this month in Windows low-level components, as well as 22 vulnerabilities in Microsoft Edge."

Ashley Leonard, CEO and founder of Syxsense, describes one of the critical flaws patched by Microsoft, but notes that this vulnerability doesn't appear to have been exploited in the wild:

"Exploitation of the HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2023-23392) typically allow for an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. The CVSS score on this vulnerability is 9.8 (critical) but it’s not being weaponized."