The company corrects actively exploited vulnerabilities that affected Microsoft Outlook and the Windows OS in this month’s batch of security updates.
Windows zero-day, Outlook zero-day resolved
The Windows zero-day is a SmartScreen security feature bypass vulnerability (CVE-2023-24880) rated moderate for Windows desktop and server systems. Microsoft reported this bug was also publicly disclosed. This flaw has a CVSS rating of 5.4 and requires user interaction to trigger the vulnerability.
Mark of the Web (MOTW) is a Windows security feature that tags content copied from an untrusted source, such as the internet. Microsoft’s CVE notes state that when the user tries to run a file, the SmartScreen feature checks the file for a zone identifier Alternate Data Stream. Files downloaded from the internet get a ZoneID=3 designation, which triggers a reputation check in SmartScreen. An attacker could build a malicious file to avoid the MOTW system and other protections, such as Protected View in Microsoft Office.
The low CVSS rating and severity level indicate this bug by itself is not a major threat. But it could be the final piece a threat actor needs to build an attack chain consisting of several vulnerabilities to overtake a targeted system.
The second zero-day is a Microsoft Outlook elevation-of-privilege vulnerability (CVE-2023-23397) rated critical with a CVSS rating of 9.8. This flaw affects several Outlook versions, including Microsoft 365 Apps for Enterprise systems, and does not rely on the Outlook preview pane as an attack vector.
Read more about the mitigation on Github.
“The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the email server,” Microsoft wrote in its CVE notes.
Microsoft recommended blocking TCP 445/SMB outbound from the organization’s network and adding users to the Active Directory security group named Protected Users to prevent credential theft via NTLM relay attacks.
“There’s more guidance in the CVE that people should investigate to see if they can lock things down even tighter in their environments,” said Chris Goettl, Ivanti vice president of security product management. “Organizations that still rely on NTLM authentication for certain applications might not be able to fully implement this type of functionality to mitigate the threats more effectively.”
Goettl said this vulnerability is more likely to affect companies that rely on older applications that they haven’t been able to modernize rather than enterprises that have moved on to SaaS applications.
The other publicly disclosed vulnerability is a curl remote-code execution flaw (CVE-2022-43552) that affects several Microsoft products, including Windows server and desktop systems, and 2.0 of CBL-Mariner, a Linux operating system Microsoft developed for its cloud and edge products. Curl is a command-line tool used to send data with different network protocols.
Microsoft released the CVE on Feb. 9. The update for March Patch Tuesday indicated Microsoft found more affected Windows versions, and a new curl library in an upcoming security release would resolve the flaw.
Microsoft corrects 20 printer driver issues
March Patch Tuesday plugged 20 vulnerabilities in the Microsoft PostScript and PCL6 Class printer driver: ten were for remote-code execution flaws, nine for information disclosure bugs and one for elevation of privilege.
Many in IT have lingering trauma from both patching systems affected by the PrintNightmare vulnerability in July 2021 and then dealing with the difficulties that arose from more stringent controls on printer driver installation. Due to the high volume of fixes, administrators should set aside ample time to test printing on affected devices.
“Any time we see that many print driver or print spooler changes, there’s a high chance that there will be some impact on printer behavior,” Goettl said.
Other security updates of note for March Patch Tuesday
An Internet Control Message Protocol (ICMP) remote-code execution vulnerability, rated critical for Windows Server and desktop systems, has the highest CVSS rating this month with 9.8. This flaw, which relates to an error-reporting protocol, does not require privileges or user interaction for an attacker on the network to exploit the vulnerability.
Microsoft included four CVEs that originated from GitHub with its March Patch Tuesday vulnerabilities list. The vulnerabilities (CVE-2023-22490, CVE-2023-22743, CVE-2023-23618 and CVE-2023-23946) are rated important and relate to flaws in the Git revision control system incorporated in Visual Studio. Deploying patches for Microsoft’s integrated development environment typically fall outside the purview of the systems administrator and require cooperation between multiple groups to keep vulnerabilities from falling through the cracks.
“The development teams and operations teams need to be included in your vulnerability management program to ensure the development stack and CI/CD pipeline are updated throughout your organization,” Goettl said.
ChatGPT Powered Malware Bypasses EDR
In research by Jeff Sims at HYAS, he creates “Blackmamba,” an “AI synthesize polymorphic keylogger” that uses python to modify its program randomly. The basic components of this polymorphic keylogger require a LLM, large language model like ChatGPT. The malicious...
Comparing vulnerability assessment with MITRE ATT&CK based gap analysis
The title of this blog post may not be entirely correct, as it is difficult to compare vulnerability assessment with MITRE ATT&CK based gap assessment in objective measures. However, this post aims to evangelize the joint raison d'être of vulnerability assessment...
Detecting common Linux persistence techniques with Wazuh
Persistence techniques are mechanisms or configurations threat actors use to maintain illicit access to compromised endpoints after gaining initial access. Persistence guarantees that attackers have endpoint access regardless of system restarts, changed credentials,...