Microsoft Releases Windows Patches, Fixes Actively Exploited Zero-Day Vulnerabilities

Microsoft today unleashed a slew of updates for its March Patch Tuesday to address around 80 security vulnerabilities in the wild. To begin, Windows 10 patches KB5023696 and KB5023697 address system and security issues in Windows 10 versions 22H2, 21H2, 21H1, 1809, and 1607 as well as Windows Server 2016. These are being deployed as non-optional updates and will be automatically installed via Windows Update (unless you run a modified or locked down install). Windows 10 1507 also received a small patch, KB5023713, which similarly addresses security fixes as well as hyperlinks in Excel.

Microsoft today also releases fixes for two critical zero-day vulnerabilities that were being actively exploited as far back as April of 2022. The two exploited vulnerabilities are CVE-2023-23397 and CVE-2023-24880. CVE-2023-23397 is an elevated privilege attack that allows crafting special emails that can force a target's device to connect to remote URLs and transmit the Windows account's Net-NTLMv2 hash. CVE-2023-24880 is a Windows SmartScreen vulnerability that can be exploited to create executables which bypass the Windows Mark of the Web security warning.Microsoft states the following for CVE-2023-23397:

CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The connection to the remote SMB server sends the user's NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.

CVE-2023-23397 was initially flagged by CERT-UA (Computer Emergency Response Team of Ukraine) and disclosed by CERT-UA, Microsoft Incident, and Microsoft Threat Intelligence. In the disclosure the latter states:

Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.

The report also states that the flaw affects all versions of Microsoft Outlook for Windows, however it has no affect on Outlook for Mac, iOS, Android, or Outlook on the web, as online services do not utilize NTLM authentication. Microsoft released a script that allows organizations to check if they have been targeted by the attack.

In regards to CVE-2023-24880 researchers Benoît Sevens and Vlad Stolyarov of the Google Threat Analysis Group as well as Microsoft share:

When you download a file from the internet, Windows adds the zone identifier or Mark of the Web (MOTW) as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check.

The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet. TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe - a notable divergence from Magniber's typical targeting, which usually focuses on South Korea and Taiwan.

The full detailed report of disclosed security fixes for March 2023 is available to browse here. It's not exactly light reading.