Update required: Microsoft fixes two zero-day exploits with March patch day
by Tina Siering
On the monthly patch day, Microsoft once again provides numerous software updates to close known vulnerabilities. For March 2023, of the total of 80 patches listed in the Security Update Guide, two fixes to close actively exploited zero-day exploits require special attention and quick action: The affected Office and Windows versions should be updated as soon as possible.
1. Critical vulnerability in Microsoft Outlook (CVSS 9.8, risk "critical")
By exploiting a critical vulnerability in Microsoft Outlook (CVE-2023-23397), attackers can actively extend their user rights with the help of manipulated emails. An email infected with malware in this way allows the attacker to gain access to the system and steal the Net NTLMv2 hash. The attack itself is already carried out during processing on the email server, even before the email is displayed in the victim's preview window. No further action by a recipient is required.
Successful access to the hash can be used as the basis for an "NTLM relay attack" against another service, thereby authenticating oneself as a user. NTLM (NT LAN Manager) is a collection of security protocols from Microsoft to ensure integrity and authentication.
The vulnerability was also exploited in the past by a hacking group linked to the Russian military intelligence service GRU to attack European organisations.
All versions of Microsoft Outlook for Windows are affected.
Recommended action in case a timely patching is not (yet) possible: Make sure that port 445/SMB to the internet is blocked.
2. Vulnerability in Windows SmartScreen (CVSS 5.4, risk "medium")
Vulnerability CVE-2023-24880 allows cybercriminals to bypass the Windows SmartScreen filter and spread the malware magniber.
SmartScreen is a security feature introduced in Windows 8 and improved in Windows 10. It protects against potentially dangerous websites, downloads and apps at various points and acts as a filter that compares downloaded files with Microsoft databases. If a user with an affected version of Windows opens a manipulated, malicious file, the Mark of the Web (MoTW) functionality is bypassed.
The system therefore does not recognise whether files have been sent as attachments or downloaded from the Internet, for example. The SmartScreen filter can therefore no longer recognise possibly infected files or documents and thus prevent a successful infiltration of malware.
All Windows versions are affected, up to Windows 11 22H2 and Windows Server 2022.
Recommendation: Since some of the vulnerabilities closed with the patch day updates are already under active attack, IT managers should apply them immediately.