Microsoft released patches to fix 83 vulnerabilities on March 2023 Patch Tuesday, including two actively exploited zero-day flaws, one in Outlook and one in Windows SmartScreen. This month’s round of updates includes patches for 9 critical flaws, 70 important issues, 1 moderate flaw, and three Mariner flaws where the severity is unknown. A further 21 vulnerabilities in Chromium-based browsers were addressed in an update on Monday.
The first of the zero-day bugs is an elevation of privilege vulnerability in Microsoft Outlook that has a CVSS severity score of 9.8 out of 10 and is tracked as CVE-2023-23397. A threat actor can exploit the flaw by sending specially crafted emails, which cause the victim’s device to connect to a malicious remote URL, transmitting the Net-NTKMv2 hash of the Windows account. The hash can then be relayed to another service to authenticate as the victim. The flaw is exploited before an email is read in the preview pane, as it is automatically triggered when the message is retrieved and processed by the mail server. The flaw is known to have been exploited by the Russian state-sponsored hacking group, STRONTIUM.
The second zero-day flaw is a security bypass vulnerability in Windows SmartScreen. The bug has been assigned a CVSS severity score of 5.4 out of 10, but it is being actively exploited in the wild in an attack chain by the Magniber ransomware gang, so patching should still be prioritized. The flaw, tracked as CVE-2023-24880, allows Microsoft’s Mark-of-the-Web (MOTW) security feature to be bypassed. A malicious file could be crafted that would not generate a MOTW security warning, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office.
The other 8 critical flaws are a remote code execution vulnerability in the Internet Control Message Protocol (ICMP) – CVE-2023-23415; a remote code execution vulnerability in the Windows Remote Procedure Call – CVE-2023-21708; a remote code execution vulnerability in the Remote Access Service Point-to-Point Tunneling Protocol – CVE-2023-23404; a remote code execution vulnerability in Windows Cryptographic Services – CVE-2023-23416; a remote code execution vulnerability in the Windows HTTP Protocol Stack – CVE-2023-23392; two elevation of privilege vulnerabilities in Windows TPN – CVE-2023-1017 & CVE-2023-1018; and an elevation of privilege vulnerability in Windows Hyper-V – CVE-2023-23411.