Microsoft Patch Tuesday fix Outlook zero-day actively exploited

Microsoft Patch Tuesday updates for March 2023 addressed 74 vulnerabilities, including a Windows zero-day exploited in ransomware attacks.

Microsoft Patch Tuesday security updates for March 2023 addressed 74 new vulnerabilities in Microsoft Windows and Windows Components; Office and Office Components; Edge (Chromium-based); Microsoft Dynamics; Visual Studio; and Azure.

Six of the fixed issues are rated Critical and 67 are rated Important, while only one is rated Moderate in severity.

Two of the vulnerabilities addressed by the IT giant, respectively tracked as CVE-2023-23397 and CVE-2023-24880, are actively exploited in the wild.

The CVE-2023-23397 flaw is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass.

A remote, unauthenticated attacker can exploit the flaw to access a user’s Net-NTLMv2 hash by sending a specially crafted e-mail to an affected system.

“An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.” reads the advisory published by Microsoft.

“The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.” “External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.”

The vulnerability was reported by the CERT-UA and the Microsoft Incident Response, Microsoft Threat Intelligence (MSTI), suggesting that it has been exploited by a nation-state actor.

The second flaw actively exploited in the wild is a Windows SmartScreen security feature bypass vulnerability tracked as CVE-2023-24880.

An attacker can exploit the vulnerability to bypass Mark of the Web (MOTW) defenses by using specially crafted files. Microsoft Office SmartScreen and Protected View defense features rely on MOTW, this means that the flaw can be exploited to bypass them and deliver malware via crafted documents.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.” states Microsoft.

This second flaw has been exploited by attackers to bypass the Windows SmartScreen and deploy the Magniber ransomware.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday)