Microsoft Releases Windows Patches, Fixes Actively Exploited Zero-Day Vulnerabilities

[Fouquin]

Microsoft today unleashed a slew of updates for its March Patch Tuesday to address around 80 security vulnerabilities in the wild. To begin, Windows 10 patches KB5023696 and KB5023697 address system and security issues in Windows 10 versions 22H2, 21H2, 21H1, 1809, and 1607 as well as Windows Server 2016. These are being deployed as non-optional updates and will be automatically installed via Windows Update (unless you run a modified or locked down install). Windows 10 1507 also received a small patch, KB5023713, which similarly addresses security fixes as well as hyperlinks in Excel.

Microsoft today also releases fixes for two critical zero-day vulnerabilities that were being actively exploited as far back as April of 2022. The two exploited vulnerabilities are CVE-2023-23397 and CVE-2023-24880. CVE-2023-23397 is an elevated privilege attack that allows crafting special emails that can force a target's device to connect to remote URLs and transmit the Windows account's Net-NTLMv2 hash. CVE-2023-24880 is a Windows SmartScreen vulnerability that can be exploited to create executables which bypass the Windows Mark of the Web security warning.




Microsoft states the following for CVE-2023-23397:

CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The connection to the remote SMB server sends the user's NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.

CVE-2023-23397 was initially flagged by CERT-UA (Computer Emergency Response Team of Ukraine) and disclosed by CERT-UA, Microsoft Incident, and Microsoft Threat Intelligence. In the disclosure the latter states:

Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.

The report also states that the flaw affects all versions of Microsoft Outlook for Windows, however it has no affect on Outlook for Mac, iOS, Android, or Outlook on the web, as online services do not utilize NTLM authentication. Microsoft released a script that allows organizations to check if they have been targeted by the attack.

In regards to CVE-2023-24880 researchers Benoît Sevens and Vlad Stolyarov of the Google Threat Analysis Group as well as Microsoft share:

When you download a file from the internet, Windows adds the zone identifier or Mark of the Web (MOTW) as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check.

The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet. TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe - a notable divergence from Magniber's typical targeting, which usually focuses on South Korea and Taiwan.

The full detailed report of disclosed security fixes for March 2023 is available to browse here. It's not exactly light reading.

View at TechPowerUp Main Site | Source

 

[Makaveli]

Do these windows updates right now!

 

[W1zzard]

and a search bar suddenly appeared in my task bar, at least you can turn it off again

 

[sLowEnd]

and a search bar suddenly appeared in my task bar, at least you can turn it off again

Same here lol

 

[Vayra86]

Holy crap, so these fixes actively exploited zero day vulnerabilities.

That's scary AF

 

[Deleted member 211755]

This is why limiting and/or disabling Windows features is essential,
but having a good firewall set up is maybe even more so important.

I don't even use Microsoft account just because of situations like these
and that's just one of many, many security steps I took to secure my system.

For example, this is an obvious one,
when using a Windows PC,
you have to keep your admin account separated from the one you daily use.

Something which Linux does by default for many, many years now.

 

[Punkenjoy]

If Microsoft was a bit more transparent with Windows upgrade, less people would disable Windows update. But except that, there is no reason to disable them.


Also, it's probably not a coincidence that Windows 11 that enforce TPM is not affected by any of theses vulnerabilities. Those security things aren't just there to annoy you or to spy on you. (Or to prevent you from pirating your games or blue rays)

 

[Deleted member 211755]

If Microsoft was a bit more transparent with Windows upgrade, less people would disable Windows update. But except that, there is no reason to disable them.


Also, it's probably not a coincidence that Windows 11 that enforce TPM is not affected by any of theses vulnerabilities. Those security things aren't just there to annoy you or to spy on you. (Or to prevent you from pirating your games or blue rays)

Secure boot is more important than TPM. TPM is implemented to secure devices from physical access.
I have it disabled personally.
Windows update is very important as we can see from this article too,
but I also limited its "features" like using other people devices to speed up the download process.
That is strictly DISABLED on my system.

There's a lot of stuff which can be used to hack into a Windows PC.
One drive and Microsoft account are some of those
as is Microsoft Store and its built-in apps.
I have all of that completely removed from my system.

 

[Easo]

If Microsoft was a bit more transparent with Windows upgrade, less people would disable Windows update. But except that, there is no reason to disable them.


Also, it's probably not a coincidence that Windows 11 that enforce TPM is not affected by any of theses vulnerabilities. Those security things aren't just there to annoy you or to spy on you. (Or to prevent you from pirating your games or blue rays)

Microsoft could be 146% open with that and there still would be loads of people who think they know better and would disable them. Do not kid yourself, please.
Well, it gives me job security so whatever.

 

[trparky]

CVE-2023-1017 and CVE-2023-1018, both TPM-related, have been fixed. The most important of them all, CVE-2023-1017, the one that allowed for reading two bytes past the end of a TPM 2.0 command thus crashing the TPM module or even, in the worst situation, permanently corrupting it, has been fixed in this batch of updates.

Do not pass Go, don't collect $200, install this update now!!!

 

[Easo]

CVE-2023-1017 and CVE-2023-1018, both TPM-related, have been fixed. The most important of them all, CVE-2023-1017, the one that allowed for reading two bytes past the end of a TPM 2.0 command thus crashing the TPM module or even, in the worst situation, permanently corrupting it, has been fixed in this batch of updates.

Do not pass Go, don't collect $200, install this update now!!!

The Outlook one is far more critical, imho, looks like it is stupidly easily to exploit.

 

[trparky]

The Outlook one is far more critical, imho, looks like it is stupidly easily to exploit.

Yeah, but at least you can recover from that. Bricked hardware is an entirely different can of worms.

 

[ThrashZone]

The Outlook one is far more critical, imho, looks like it is stupidly easily to exploit.

Hi,
Yeah click to run lol

If Microsoft was a bit more transparent with Windows upgrade, less people would disable Windows update. But except that, there is no reason to disable them.


Also, it's probably not a coincidence that Windows 11 that enforce TPM is not affected by any of theses vulnerabilities. Those security things aren't just there to annoy you or to spy on you. (Or to prevent you from pirating your games or blue rays)

This is added to a so called "security update" lol this kind of bloat is why a lot of people, me included wait until the dust settles before installing updates
Yeah these all lock really important but reality is they are just more holes opened

Other improvements or additional features
Introducing Phone Link for iOS in preview
Android® phone users get an even richer experience
Broadcast your best self, right when you need to with advanced AI
Connect in more ways with a simple click
Providing help is easier than ever with the redesigned Quick Assist app
More of the news and information you care about is just a swipe away
Enhancing your touch experience
Screen recording in Snipping Tool
Tabs make navigating Notepad easier than ever
New accessibility features include Braille display support and enhanced voice access in key apps
New energy recommendations make it easier for you to control your environmental impact
Harness the power of AI to find the files you need recommended in your Start menu
Access your Cloud PC with the new Windows 365 app

Windows 11 General Discussion

Stop the bickering. Be civil and discuss nicely. Stop the personal jabs. Thank You

www.techpowerup.com

Think W1zzard said he got an all important search box back on his taskbar lol

and a search bar suddenly appeared in my task bar, at least you can turn it off again

Probably one day we won't.

 

[mechtech]

upgrade to windows 12 instead!!!

 

[Vayra86]

I'm rolling back to 95. Ignorance is bliss