What just happened? Since 2003, Microsoft has used ‘Patch Tuesday’ as the unofficial definition for the company’s monthly release of security bugfixes for Windows and other software products. For March 2023, Redmond fixed two nasty zero-day flaws state-sponsored cyber-criminals and ransomware operations have already exploited in the wild.
This week, Microsoft released its latest collection of security fixes. Compared to February 2023, the latest batch of patches deals with an increasing number of vulnerabilities, including a couple of already exploited flaws.
Microsoft’s security bulletin March says this release includes fixes for many Windows components and security features, Hyper-V virtualization technology, Visual Studio, Office programs, and more. The update should fix 83 security flaws for Windows and other Microsoft software products.
Nine of the 83 weaknesses have been classified as “Critical,” meaning hackers could use them for various attacks. Considering the type of bug and the effect it has on Windows and other affected software, the vulnerabilities fall into the following categories: 21 Elevation of Privilege Vulnerabilities, 2 Security Feature Bypass Vulnerabilities, 27 Remote Code Execution Vulnerabilities, 15 Information Disclosure Vulnerabilities, 4 Denial of Service Vulnerabilities, 10 Spoofing Vulnerabilities, 1 Edge – Chromium Vulnerability.
That list does not include 21 vulnerabilities Microsoft already fixed in the Edge browser before the Patch Tuesday update. Bleeping Computer published a complete report listing all closed bugs and related advisories. The March patch included two zero-day bug fixes, which Microsoft confirmed hackers had actively exploited.
The first zero-day bug is “Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397).” If successfully exploited, the flaw allows access to a user’s Net-NTLMv2 hash, which a hacker can use “as a basis of an NTLM Relay attack against another service to authenticate as the user.” There is no need to read or preview an email, as the server would automatically trigger the flaw upon processing the message.Microsoft said the well-known Russian state-sponsored cyber gang “Strontium” group exploited CVE-2023-23397 before it issued the patch.
The second zero-day flaw is the “Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2023-24880).” Microsoft explains that an attacker can exploit this bug by crafting a malicious file that would evade Mark of the Web (MOTW) defenses in the Protected View feature of Microsoft Office. Google researchers discovered CVE-2023-24880, saying hackers exploited it using Magniber ransomware, noting that it is related to a previous zero-day bug (CVE-2022-44698) Microsoft fixed in December.
Microsoft distributed its latest updates through the official Windows Update service, update management systems such as WSUS, and as direct (albeit massive) downloads through the Microsoft Update Catalog. Other software companies releasing security updates in sync with Microsoft’s Patch Tuesday include Apple, Cisco, Google, Fortinet, SAP, and backup giant Veeam.