Microsoft has released its March 2023 Patch Tuesday software updates meant to address more than 80 security issues, including two actively exploited zero-day vulnerabilities, across a wide range of its products.
One of the zero-day flaws is CVE-2023-23397, a Microsoft Outlook elevation of privilege vulnerability that allows a remote attacker to compromise the vulnerable system.
The vulnerability exists due to the application leaks the Net-NTLMv2 hash. A remote attacker can send a specially crafted email to the victim and obtain the Net-NTLMv2 hash of the Windows account. The victim does not need to open the email, as the vulnerability is triggered automatically when it is retrieved and processed by the email server, e.g. before the email is viewed in the preview pane. The obtained NTLMv2 hash can be used in the NTLM Relay attack against another service to authenticate as the user.
The CVE-2023-23397 flaw is said to have been exploited by Strontium (aka APT28, Sednit, Sofacy, and Fancy Bear), a state-sponsored threat actor inked to Russia's military intelligence service GRU. The bug was exploited in attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe between mid-April and December 2022. Microsoft credited Ukraine's CERT team for discovering the vulnerability.
The second zero-day flaw, tracked as CVE-2023-24880, is a SmartScreen security feature bypass in Microsoft Windows, which could be exploited to bypass the Mark of the Web (MOTW) defenses.
According to Google’s TAG team, this flaw has been exploited by the Magniber ransomware operation.
“TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe — a notable divergence from Magniber’s typical targeting, which usually focuses on South Korea and Taiwan,” the team said.
In addition to the above zero-days, the March 2023 Patch Tuesday release addresses a slew of high-risk vulnerabilities affecting Microsoft Windows and Windows Server, Microsoft ICMP, Microsoft Excel, Microsoft IIS, Microsoft Windows Cryptographic Services, and other software components.