Update now! Microsoft fixes two zero-day bugs
This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one.
Microsoft, and other vendors, have released their monthly updates. In total Microsoft has fixed a total of 101 vulnerabilities for several titles (including Edge), with two of them being actively exploited zero-days. On top of that, Adobe has fixed an actively exploited vulnerability in ColdFusion.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs of the actively exploited vulnerabilities patched in these updates are:
CVE-2023-23397: a critical Microsoft Outlook Elevation of Privilege (EoP) vulnerability. External attackers could send specially crafted emails to cause a connection from the victim to an external UNC location of attackers’ control. This would leak the Net-NTLMv2 hash of the victim to the attacker who could then relay this to another service and authenticate as the victim. The mail would be triggered automatically when retrieved and processed by the Outlook client, which could result in exploitation even before the email is viewed in the Preview Pane.
This means this vulnerability could be used to obtain a hashed token, which could then be used in a so-called “pass-the-hash” attack. Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then returns the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that mathematical operation required to gain access. The authentication process does not require the plaintext password. The hash is enough.
CVE-2023-24880: a moderate Windows SmartScreen Security Feature Bypass vulnerability. An attacker could craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. Reportedly, this vulnerability was used in ransomware related attacks.
MOTW, the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet makes another comeback. The MOTW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a Restricted Zone. When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. And, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3, which means that the file was downloaded from the internet, the SmartScreen does a reputation check.
CVE-2023-26360: classified as a priority 1 vulnerability in Adobe ColdFusion due to critical deserialization of untrusted data. This flaw can lead to arbitrary code execution, making it a high-priority target for attackers.
Adobe says it is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.
Adobe recommends updating your ColdFusion versions 2021 and 2018 JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.
Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
- SAP has released security updates for 19 vulnerabilities, five of which were rated as critical.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.