Microsoft March 2023 Patch Day

On the March Patch Day, Microsoft closes dozens of vulnerabilities in various of the company's products. Two zero-day vulnerabilities that have already been actively attacked stand out. Microsoft classifies a total of nine vulnerabilities as critical, some of which are independent of the CVSS assessment.

The Security Update Guide lists 80 CVE entries for security gaps closed with the updates. However, of the 80 vulnerabilities, four affect Github and two affect TPMs, which are now also being addressed by Microsoft, so the patch day updates effectively address 74 new vulnerabilities in Microsoft products. In the wild, two of the now-closed vulnerabilities are already being exploited by malicious actors.

The first affects Microsoft Outlook and allows attackers to escalate their privileges (CVE-2023-23397, CVSS 9.8, risk critical). Attackers could obtain a user's Net-NTLMv2 hash by exploiting this vulnerability. In the description of the vulnerability, Microsoft explains that it can be used in an NTLM relay attack against another service to authenticate itself as the victim. In order to exploit the vulnerability, it is sufficient to send a specially prepared e-mail. The automatically throws the error when the Outlook client retrieves and processes it. The error occurs before the email is displayed in the preview window. An e-mail manipulated in this way can trigger a connection from the victim to an attacker's server, through which the victim's Net-NTLMv2 hash reaches the attackers.

The second vulnerability that has already been attacked bypasses the Windows SmartScreen security function (CVE-2023-24880, CVSS 5.4, medium). Attackers can create malicious files that bypass Mark of the Web protections. This could lead to a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.

Specifically, the attackers distributed MSI files signed with an invalid but carefully crafted Authenticode signature. The bad signature causes SmartScreen to return an error. This, in turn, bypasses the security warning dialog that users are supposed to see when an untrusted file contains a Mark-of-the-Web indicating that a potentially malicious file was downloaded from the Internet became.

According to Microsoft's release notes for the March patch day, the updates provided close security gaps in the products, components and functions Azure, Client Server Run-time Subsystem (CSRSS), Internet Control Message Protocol (ICMP), Microsoft Bluetooth Driver, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Graphics Component, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Office SharePoint, Microsoft OneDrive, Microsoft PostScript Printer Driver, Microsoft Printer Drivers, Microsoft Windows Codecs Library, Office for Android, Remote Access Service Point-to- Point Tunneling Protocol, Role: DNS Server, Role: Windows Hyper-V, Service Fabric, Visual Studio and in all supported Windows versions as well as various Windows components.

In addition to the security fixes, the cumulative updates for the Windows operating systems also contain corrections and functional enhancements from the February update preview. Since some of the vulnerabilities closed with the patch day updates are already being actively attacked, IT managers should not hesitate and apply them immediately.