Microsoft issued upgrades for its Windows operating systems and apps on Tuesday to fix at least 74 security flaws. Two of those issues, including one particularly serious one in Microsoft Outlook that may be used without user participation, are already being actively combated.
The CVE-2023-23397 Outlook vulnerability affects every version of Microsoft Outlook, including the most recent. By sending a booby-trapped email that activates automatically when retrieved by the email server — before the email is even read in the Preview Pane — attackers can take advantage of this vulnerability without any user involvement, according to Microsoft, which has seen evidence of this.
The severity of CVE-2023-23397 is not appropriately reflected by the name “Elevation of Privilege” vulnerability, according to Kevin Breen, director of cyber threat research at Immersive Laboratories.
A “Pass the Hash” attack, also known as an NTLM relay attack, enables an attacker to obtain a victim’s NTLM hash (Windows account password).
Without having access to the target’s password, an attacker can effectively authenticate as them, according to Breen. “This is comparable to an attacker having a working password and access to a system within a company.”
Rapid7, a security company, notes that while Microsoft-hosted online services like Microsoft 365 are secure, this flaw impacts self-hosted versions of Outlook like Microsoft 365 Apps for Enterprise.
CVE-2023-24800, another active zero-day vulnerability, is a “Security Feature Bypass” in Windows SmartScreen, one of Microsoft’s endpoint security technologies.
Action1, a patch management company, states that this bug’s exploit is straightforward and doesn’t call for elevated rights. Nonetheless, it does involve some user interaction and cannot be used to access restricted or confidential information. Nonetheless, the issue could enable the execution of further malicious code undetected by reputation checks performed by SmartScreen.
Mark of the Web (MOTW) defences can be bypassed by an attacker by using CVE-2023-24800, according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Project.
Childs stated that circumventing MOTW makes it simpler for threat actors to distribute malware via prepared documents and other infected files that would otherwise be blocked by SmartScreen. “Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW,” Childs added.
Seven additional weaknesses This week’s Microsoft patches were given the highest severe “critical” severity rating, which means they fix security flaws that may be used to grant an attacker complete remote control over a Windows host with little to no user input.
Also this week, Adobe issued eight updates to its products, including Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator, which together addressed a staggering 105 security flaws.
See the SANS Internet Storm Center roundup for a more detailed breakdown of the changes that were released today. AskWoody.com probably has the inside scoop on any stability or usability difficulties that today’s changes in Windows may bring about.
Before installing any upgrades, please think about backing up your data and/or imaging your machine. And if you run into any issues as a result of these updates, please free to share your thoughts in the comments.