Microsoft Zero-Day Bugs Allow Security Feature Bypass
IT teams should prioritize the patching of two zero-day vulnerabilities, one in Microsoft Outlook’s authentication mechanism and another that’s a Mark of the Web bypass, security experts said today. The two are part of a cache of 74 security bugs that Microsoft disclosed in its March Patch Tuesday security update.
In a blog post, researchers from Automox recommended that organizations patch both vulnerabilities within 24 hours since attackers are exploiting them in the wild.
In addition, several of the critical flaws in the March update enable remote code execution (RCE), making them a high priority for patching as well.
Vendors had slightly different takes on the total number of new critical vulnerabilities in Microsoft’s March update — likely because of differences in what they included in the count. Trend Micro’s Zero-Day Initiative (ZDI), for instance, identified six of the vulnerabilities in Microsoft’s March update as critical, while Tenable and Action1 pegged the number at nine.
Privilege Escalation Zero-Day
One of the zero-days is a critical privilege escalation vulnerability in Microsoft Outlook tracked as CVE-2023-23397, which allows an attacker to access the victim’s Net-NTLMv2 challenge-response authentication hash and then impersonate the user.
What makes the bug dangerous is that an attacker could trigger it simply by sending a specially crafted email that Outlook retrieves and processes before the user even views it in the Preview Pane.
“This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email,” said Satnam Narang, senior staff research engineer at Tenable in an emailed comment. An attacker could use the victim’s Net-NLMv2 hash to conduct an attack that exploits the NTLM challenge-response mechanism and allows the adversary to authenticate as the user.
That makes the bug more of an authentication bypass vulnerability than an privilege escalation issue, added ZDI researcher Dustin Childs, in a blog post that summarized the most important flaws in Microsoft’s March Patch Tuesday update. Disabling the Preview Pane option will not mitigate the threat because the bug gets triggered even before that, he wrote.
Microsoft attributed the bug’s discovery to researchers from Ukraine’s Computer Emergency Response Team (CERT) as well as one of its own researchers.
Organizations that cannot patch CVE-2023-23397 immediately should consider implementing Microsoft’s mitigation for the flaw, which prevents the use of NTLM as an authentication mechanism, Automox said.
Actively Exploited Security Feature Bypass Flaw
Microsoft identified the second zero-day bug as CVE-2023-24880, a Windows SmartScreen security feature bypass issue than at attacker could use to bypass the Mark of the Web designation that Microsoft uses to identify files that a user might download from the Internet.
The feature is designed to warn users about potentially unsafe content. CVE-2023-24880 affects all desktop systems running Windows 10 and above and systems running Windows Server 2016, 2019, and 2022.
Chris Goettl, vice president of security products at Ivanti, cautioned administrators not to be lulled into a sense of false security by Microsoft’s relatively low severity rating for the flaw.
“The CVSSv3.1 score is only 5.4, which may avoid notice by many organizations,” Goettl said in a statement. On its own, the CVE may not be all that threatening, “but it was likely used in an attack chain with additional exploits,” he warned.
Other Security Bugs at High Patching Priority
One of the RCE flaws to make a special note of is CVE-2023-23415, which exists in the Internet Control Message Protocol (ICMP) that network devices use to diagnose communications issues.
“An attacker can remotely exploit this vulnerability through the use of a low-level protocol error containing a fragmented IP packet in its header that is sent to the target machine,” Microsoft said. The vulnerability affects multiple Microsoft products, including Windows 10, Windows 11, Windows Server 2008, 2012, 2016, 2019, and 2022.
ZDI, Automox, and Action1 also all identified a RCE vulnerability with a near maximum severity of 9.8 on the CVSS scale in the HTTP Protocol Stack as another issue that organizations might want to prioritize.
The vulnerability (CVE-2023-23392) allows an unauthenticated attacker to send a specially crafted packet to a server that uses the HTTP Protocol Stack leading to RCE. “The vulnerability affects Windows Server 2022 and Windows 11, and has a low-complexity attack vector that requires no privileges or user interaction,” Action1 warned. Because of this, Microsoft has assessed the vulnerability as one that threat actors are more likely to exploit than other flaws.
Automox also recommended that organizations address CVE-2023-23416, a RCE bug in the Windows Cryptographic Services protocol, within 72 hours. That’s because, among other things, it affects all versions of desktops Windows 10 and above, and all Windows server editions from Server 2012 on.
In addition to patches for new vulnerabilities, Microsoft also issued updates for four older flaws — all from 2022 — in its March patch cycle. The update expands the number of Microsoft software and applications affected by the vulnerabilities and provides a patch for them, Ivanti said. The security vendor identified the four updated patches as CVE-2022-43552, CVE-2022-23257, CVE-2022-23825, and CVE-2022-23816.