Microsoft has fixed over 80 vulnerabilities in this month’s Patch Tuesday update round, including two zero days being actively exploited in the wild.
One of those is CVE-2023-23397, a critical elevation of privilege bug in Outlook with a CVSS score of 9.8.
“The attack can be executed without any user interaction by sending a specially crafted email which triggers automatically when retrieved by the email server. This can lead to exploitation before the email is even viewed in the Preview Pane,” explained Action1 VP of vulnerability and threat research, Mike Walters.
“If exploited successfully, an attacker can access a user’s Net-NTLMv2 hash, which can be used to execute a pass-the-hash attack on another service and authenticate as the user.”
The bug was reported by the Computer Emergency Response Team for Ukraine (CERT-UA), hinting that it was being actively exploited by Russian threat actors.
The second zero day, CVE-2023-24880, is a security feature bypass in Windows SmartScreen.
It enables attackers to craft a malicious file capable of circumventing Mark-of-the-Web (MOTW) defenses in features like Protected View in Office, according to Microsoft.
“This CVE affects all currently supported versions of the Windows OS,” explained Ivanti VP of security products, Chris Goettl. “The CVSS score is only 5.4, which may avoid notice by many organizations and on its own this CVE may not be all that threatening, but it was likely used in an attack chain with additional exploits. Prioritizing this month’s OS update would reduce the risk to your organization.”
Of the nine critical CVEs listed this month, CVE-2023-21708 should also be a priority for security teams, argued Gal Sadeh, head of data and security research at Silverfort. It refers to a remote code execution bug in Remote Procedure Call Runtime that allows unauthenticated attackers to run remote commands on a target machine.
“Threat actors could use this to attack domain controllers, which are open by default,” he added. “To mitigate, we recommend domain controllers only allow RPC from authorized networks and RPC traffic to unnecessary endpoints and servers is limited.”