Wednesday, March 15th 2023
Microsoft Releases Windows Patches, Fixes Actively Exploited Zero-Day Vulnerabilities
Microsoft today unleashed a slew of updates for its March Patch Tuesday to address around 80 security vulnerabilities in the wild. To begin, Windows 10 patches KB5023696 and KB5023697 address system and security issues in Windows 10 versions 22H2, 21H2, 21H1, 1809, and 1607 as well as Windows Server 2016. These are being deployed as non-optional updates and will be automatically installed via Windows Update (unless you run a modified or locked down install). Windows 10 1507 also received a small patch, KB5023713, which similarly addresses security fixes as well as hyperlinks in Excel.
Microsoft today also releases fixes for two critical zero-day vulnerabilities that were being actively exploited as far back as April of 2022. The two exploited vulnerabilities are CVE-2023-23397 and CVE-2023-24880. CVE-2023-23397 is an elevated privilege attack that allows crafting special emails that can force a target's device to connect to remote URLs and transmit the Windows account's Net-NTLMv2 hash. CVE-2023-24880 is a Windows SmartScreen vulnerability that can be exploited to create executables which bypass the Windows Mark of the Web security warning.
Microsoft states the following for CVE-2023-23397:
In regards to CVE-2023-24880 researchers Benoît Sevens and Vlad Stolyarov of the Google Threat Analysis Group as well as Microsoft share:
Source:
BleepingComputer
Microsoft today also releases fixes for two critical zero-day vulnerabilities that were being actively exploited as far back as April of 2022. The two exploited vulnerabilities are CVE-2023-23397 and CVE-2023-24880. CVE-2023-23397 is an elevated privilege attack that allows crafting special emails that can force a target's device to connect to remote URLs and transmit the Windows account's Net-NTLMv2 hash. CVE-2023-24880 is a Windows SmartScreen vulnerability that can be exploited to create executables which bypass the Windows Mark of the Web security warning.
CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The connection to the remote SMB server sends the user's NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.CVE-2023-23397 was initially flagged by CERT-UA (Computer Emergency Response Team of Ukraine) and disclosed by CERT-UA, Microsoft Incident, and Microsoft Threat Intelligence. In the disclosure the latter states:
Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.The report also states that the flaw affects all versions of Microsoft Outlook for Windows, however it has no affect on Outlook for Mac, iOS, Android, or Outlook on the web, as online services do not utilize NTLM authentication. Microsoft released a script that allows organizations to check if they have been targeted by the attack.
In regards to CVE-2023-24880 researchers Benoît Sevens and Vlad Stolyarov of the Google Threat Analysis Group as well as Microsoft share:
When you download a file from the internet, Windows adds the zone identifier or Mark of the Web (MOTW) as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check.The full detailed report of disclosed security fixes for March 2023 is available to browse here. It's not exactly light reading.
The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet. TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe - a notable divergence from Magniber's typical targeting, which usually focuses on South Korea and Taiwan.
14 Comments on Microsoft Releases Windows Patches, Fixes Actively Exploited Zero-Day Vulnerabilities
That's scary AF
but having a good firewall set up is maybe even more so important.
I don't even use Microsoft account just because of situations like these
and that's just one of many, many security steps I took to secure my system.
For example, this is an obvious one,
when using a Windows PC,
you have to keep your admin account separated from the one you daily use.
Something which Linux does by default for many, many years now.
Also, it's probably not a coincidence that Windows 11 that enforce TPM is not affected by any of theses vulnerabilities. Those security things aren't just there to annoy you or to spy on you. (Or to prevent you from pirating your games or blue rays)
I have it disabled personally.
Windows update is very important as we can see from this article too,
but I also limited its "features" like using other people devices to speed up the download process.
That is strictly DISABLED on my system.
There's a lot of stuff which can be used to hack into a Windows PC.
One drive and Microsoft account are some of those
as is Microsoft Store and its built-in apps.
I have all of that completely removed from my system.
Well, it gives me job security so whatever.
Do not pass Go, don't collect $200, install this update now!!!
Yeah click to run lolThis is added to a so called "security update" lol this kind of bloat is why a lot of people, me included wait until the dust settles before installing updates
Yeah these all lock really important but reality is they are just more holes opened :laugh:www.techpowerup.com/forums/threads/windows-11-general-discussion.284164/page-163#post-4961840
Think W1zzard said he got an all important search box back on his taskbar lolProbably one day we won't.