Microsoft’s patch Tuesday set of updates for March 2023 has fixed 80 vulnerabilities in the company’s products, two of which were under active exploitation.
The vulnerabilities include 71 important, eight critical and one moderate severity with the vulnerabilities being exploited including a privilege escalation flaw in Outlook tracked as CVE-2023-23397 with a CVSS score of 9.8 and a Windows Smartscreen security bypass flaw tracked as CVE-2023-24880, with a CVSS score of 5.1.
CVE-2023-23397, initially discovered by CERT-UA, can be triggered when an attacker sends a message with an extended MAPI property with a UNC patch to an SMB (TCP 445) share on a threat actor-controlled server. What this means is that a remote attacker could exploit this flaw by sending a maliciously crafted email which is automatically triggered when it’s received in the Outlook client for Windows.
This means that the vulnerability can be exploited without user interaction or even before the message is loaded in Outlook’s preview pane. Once exploited, it can give the attacker administrator privileges to run arbitrary code and commands on the infected machine.
At the time of writing, Microsoft claims that it’s aware of “limited targeted attacks” using the vulnerability being carried out by a Russian threat actor against the European government, transportation, energy and military sectors.
The other actively exploited flaw, CVE-2023-24880, is a security bypass vulnerability that lets an attacker bypass the Mark-of-the-Web (MOTW) protections implemented by Windows Smartscreen that help protect your computer against untrusted downloads.
It’s not a new bug, instead being a variant of another Smartscreen vulnerability tracked as CVE-2022-44698 that was fixed by Microsoft last year. This vulnerability was being exploited by the MAgniber ransomware gang in 2022 and Microsoft’s patch had failed to address the root cause of the issue. This meant that threat actors were quickly able to come up with this new variant.
Other important vulnerabilities fixed in this update include two high-severity vulnerabilities in the TPM 2.0 reference library specification tracked as CVE-2023-1017 and CVE-2023-1018, with CVSS scores of 8.8 out of 10. The exploitation of these flaws could lead to information disclosure or privilege escalation respectively. Four privilege escalation bugs were also found in the Windows Kernel, alongside 10 remote code execution flaws in Microsoft PostScript and PCL6 Class Printer Driver.
Finally, Android and iOS apps for Microsoft services also saw a security overhaul. Two vulnerabilities were fixed in Onedrive for Android tracked as CVE-2023-24882 and CVE-2023-24923 with CVSS scores of 5.5. Onedrive for iOS saw a security bypass fix for a bug tracked as CVE-2023-24890 (CVSS score 4.3) and one privilege escalation bug in Onedrive for macOS tracked as CVE-2023-24930 (CVSS score 7.8). One spoofing vulnerability in Office for Android tracked as CVE-2023-23391 (CVSS score 5.5) was also fixed.
In the News: Anthropic releases Claude: ChatGPT’s ethical rival