Microsoft Patches 80 Vulnerabilities, Including Two Actively Exploited Ones

March 2023 marks the 15th consecutive month that Microsoft has released patches to at least one zero-day vulnerability.

Last Updated: March 20, 2023

Microsoft March Patch Tuesday

This week, Microsoft and other companies rolled out patches for respective products, in line with the security Patch Tuesday that falls on the second Tuesday of every month.

As part of its March 2023 Patch Tuesday, Microsoft released fixes to 80 vulnerabilities, two of which are zero-day flaws, i.e., under active exploitation, same as in February. However, unlike last month wherein nine flaws were rated critical, the number of critical-rated bugs patched in March is down to six.

One of the two zero-day vulnerabilities patched on March Patch Tuesday is publicly disclosed, and its proof-of-concept is available on the dark web. March 2023 marks the 15th consecutive month that Microsoft has released patches to at least one zero-day vulnerability.

“In this month’s Patch Tuesday update, Microsoft is releasing fixes for two very dangerous Zero Days that are actively being exploited by adversaries,” Xavier Bellekens, CEO of Lupovis, told Spiceworks. “These Zero Days are unique as they can easily be automated for mass scanning and exploitation.”

Mark Lamb, CEO of HighGround.io, explained to Spiceworks, “Both vulnerabilities can be triggered without any human intervention, which makes them highly concerning and means patching now is essential. Until these are patched, criminals have two very easy routes into an organization’s network.”

Of the 80 vulnerabilities addressed this month by Microsoft, four have a CVSS v3.1 score above 9 (out of 10), making them critical in severity. Forty-six vulnerabilities scored between 7 and 8.9, making them high in severity; 29 scored between 4 and 6.9, placing them in the medium severity category, while one has low severity (CVSS score below 4).

By vulnerability type, remote code execution (RCE, 26) flaws featured the highest number of patches on March Patch Tuesday, followed by elevation of privilege (EoP, 21), information disclosure (15), spoofing (six), cross-site scripting (XSS, five), denial of service (DoS, 4) and security feature bypass 9sfb, three).

See More: Microsoft’s February Patchload Fixes 76 Flaws Including Three Zero Days

Let us look at the zero-day vulnerabilities fixed this Patch Tuesday.

CVE-2023-23397

CVE-2023-23397Opens a new window is an EoP vulnerability residing in Microsoft Outlook. With a CVSS score of 9.8, low attack complexity, and no privileges or user interaction required, not to mention being actively exploited, CVE-2023-23397 is one of the more crucial vulnerabilities to fix this month. Fortunately, its proof of concept remains under wraps.

“In CVE-2023-23397, users don’t even need to view the malicious email that reaches their inboxes, instead, everything is executed and triggered behind the scenes without their knowledge,” Bellekens added.

Mike Walters, VP of vulnerability and threat research at Action1, explained to Spiceworks, “The attack can be executed without any user interaction by sending a specially crafted email which triggers automatically when retrieved by the email server.”

“This can lead to exploitation before the email is even viewed in the Preview Pane. If exploited successfully, an attacker can access a user’s Net-NTLMv2 hash, which can be used to execute a pass-the-hash attack on another service and authenticate as the user.”

It affects all versions of Outlook starting from 2013. The best way to avoid system compromise through CVE-2023-23397 is by updating it. However, Walters explained the two mitigation measures shared by Microsoft in the case updation could not be done immediately.

“If updating is not feasible, adding privileged users such as Domain Admins to the Protected Users Security Group can help prevent the use of NTLM as an authentication mechanism,” Walters said. The other mitigation is “Blocking TCP 445/SMB outbound from your network via perimeter firewalls, local firewalls, and VPN settings can also help prevent the sending of NTLM authentication messages to remote file shares.”

CVE-2023-24880

Of the two zero-day bugs patched by Microsoft this month, CVE-2023-24880Opens a new window is relatively less severe. It is an SFB flaw existing in Windows SmartScreen with a CVSS score of 5.4 and requiring user interaction, but it has a low attack complexity.

“While the vulnerability has a moderate CVSS risk score of 5.4, it cannot be used to gain access to private information or privileges. However, it can allow other malicious code to run without being detected by SmartScreen reputation checks,” Walters said.

What makes CVE-2023-24880 so concerning is that its exploitation proof of concept is available publicly. This bug impacts all Windows desktops starting from Windows 10 and Windows Server (editions 2016, 2019, and 2022).

“Microsoft Mark of the Web (MOTW) is a built-in Windows security feature that stops users from downloading or accessing malicious files from the internet by creating a zone identifier Alternate Data Stream (ADS), which enables Windows SmartScreen to block access to security features on the devices,” explained Preetham Gurram, senior product manager at Automox.

“However, the attacker can craft a malicious file bypassing the MOTW, resulting in a loss of device integrity and availability of security features in Microsoft office, such as Protected view, which relies on MOTW tags.”

Other critical and important vulnerability patches to prioritize patching in March

Vulnerability

Exists In CVSS Score

Type

CVE-2023-23392Opens a new window

HTTP Protocol Stack 9.8 RCE
CVE-2023-23415Opens a new window Internet Control Message Protocol (ICMP) 9.8

RCE

CVE-2023-21708Opens a new window

Remote Procedure Call Runtime 9.8 RCE
CVE-2023-1017Opens a new window CERT/CC: TPM2.0 Module Library 8.8

EoP

CVE-2023-1018Opens a new window

CERT/CC: TPM2.0 Module Library 8.8 EoP
CVE-2023-23416Opens a new window Windows Cryptographic Services 8.4

RCE

CVE-2023-23404Opens a new window

Windows Point-to-Point Tunneling Protocol 8.1 RCE
CVE-2023-23411Opens a new window Windows Hyper-V 6.5

DoS

Bellenkens concluded, “Organizations must patch these now, because we all know what happens after Patch Tuesday, suddenly it’s Exploit Wednesday and attackers will certainly be taking advantage of this window of opportunity while they still can.”

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock

MORE ON VULNERABILITY MANAGEMENT

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.