Microsoft Addresses Zero-Day Vulnerabilities on March 2023 Patch Tuesday On this March 2023 Patch Tuesday, Microsoft has released fixes for 74 CVE-numbered vulnerabilities, including two zero-day flaws (CVE-2023-23397, CVE-2023-24880) that are actively exploited by different threat actors.
Microsoft has identified CVE-2023-23397 as a critical elevation of privilege (EoP) vulnerability in Microsoft Outlook. This vulnerability is exploited when a threat actor sends a malicious message containing an extended MAPI property with a UNC path to an SMB (TCP 445) share hosted on a server controlled by the attacker, requiring no user interaction.
Satnam Narang from Tenable explains that unlike many Outlook vulnerabilities, this one is not triggered by the Preview Pane functionality but occurs on the email server side before the victim views the email. The flaw affects all supported versions of Microsoft Outlook for Windows but not Outlook for Mac, iOS or Android, or Outlook on the web. Online services such as Microsoft 365 are not vulnerable to this attack.
The Ukrainian CERT and Microsoft’s Incident and Threat Intelligence teams reported the vulnerability. Microsoft has shared a script to help organizations check if they have been targeted by a Russia-based threat actor using this exploit in targeted attacks against limited organizations in government, transportation, energy, and military sectors in Europe.
It is a vulnerability that allows attackers to bypass the Windows SmartScreen feature. This flaw can be exploited by crafting a malicious file that evades Mark of the Web (MOTW) defenses, allowing the file to bypass protective measures like Windows SmartScreen and Microsoft Office Protected View.
Benoît Sevens and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) reported the in-the-wild exploitation of this vulnerability to Microsoft, as they observed it being used to deliver the Magniber ransomware. TAG discovered that over 100,000 downloads of malicious MSI files occurred since January 2023, primarily targeting users in Europe.
Notable Vulnerabilities Dustin Childs from Trend Micro’s Zero Day Initiative also highlighted a wormable HTTP protocol stack RCE flaw (CVE-2023-23392), exploitable in a common Windows 11 and Windows Server 2022 configuration, and a potentially wormable RCE in the Internet Control Message Protocol (CVE-2023-23415) as vulnerabilities that need prompt fixing.
Another vulnerability worth mentioning is CVE-2023-23416, a remote code execution (RCE) vulnerability in Windows Cryptographic Services that can be exploited by importing a malicious certificate onto an affected system.