Microsoft today unleashed a slew of updates for its March Patch Tuesday to address around 80 security vulnerabilities in the wild. To begin, Windows 10 patches KB5023696 and KB5023697 address system and security issues in Windows 10 versions 22H2, 21H2, 21H1, 1809, and 1607 as well as Windows Server 2016. These are being deployed as non-optional updates and will be automatically installed via Windows Update (unless you run a modified or locked down install). Windows 10 1507 also received a small patch, KB5023713, which similarly addresses security fixes as well as hyperlinks in Excel.

Microsoft today also releases fixes for two critical zero-day vulnerabilities that were being actively exploited as far back as April of 2022. The two exploited vulnerabilities are CVE-2023-23397 and CVE-2023-24880. CVE-2023-23397 is an elevated privilege attack that allows crafting special emails that can force a target's device to connect to remote URLs and transmit the Windows account's Net-NTLMv2 hash. CVE-2023-24880 is a Windows SmartScreen vulnerability that can be exploited to create executables which bypass the Windows Mark of the Web security warning.

A pair of new vulnerabilities has been found in the TPM 2.0 library by cybersecurity company Quarkslab, that has security experts worried, as both of the flaws have potential far reaching implications. The two vulnerabilities go under the CVE identifiers of CVE-2023-1017 and CVE-2023-1018, where the first one allows for out-of-bounds writes, whereas the second one enables out-of-bounds reads, also known as buffer overflow vulnerabilities. This in itself might not sound particularly concerning, but as both can be triggered from user-mode applications, they're a pretty big deal, as it would enable malicious commands to be sent to a TPM 2.0 module, which could in turn enable malicious software to be installed on the device with the TPM 2.0 module.

According to Quarkslab, billions of devices could be affected, as TPM 2.0 authentication modules are used in everything from servers to IoT devices and has been the main hardware-based crypto solution for almost a decade by now. The attacker using the vulnerabilities would have to know what they're doing to be able to take advantage of these two flaws in TPM 2.0, but as it relies on the TPM command interface, there's no easy way to protect against an attack, if someone has gained user access to the system in question. The Trusted Computing Group (TCG) which is in charge of the TPM standard, has already issued an errata which includes instructions on how to address the two vulnerabilities and we're like to see updates from all major hardware vendors as they see fit.

Law enforcement is investigating an alleged mail-bomb attack towards the Northeastern University's VR department (Boston). A 45-year-old mailroom employee was caught in an explosion late Tuesday evening after opening a parcel containing a hard plastic case, leading the improvised explosive device to activate. Luckily, the employee survived the attack with only lacerations on his hands.

A low-tech way of delivering explosive payloads, mail bombing in the US rose to prominence through the actions of the Unabomber. Now, it seems that this delivery method is once again being weaponized for political purposes, as the package carried with a note (described as "rambling") that criticized Meta CEO Mark Zuckerberg and the relationship between university VR research and private interests. Northeastern University hosts several VR-oriented facilities, including an Immersive Media Labs Suite that "includes technologies for design, development, and exploration of virtual worlds, AR/VR/XR, and 360 video." It remains to be seen if this is a lone event or if it's a part of a more elaborate strategy of preventing change through fear.