Microsoft has set in excess of 80 vulnerabilities in this month’s Patch Tuesday update spherical, which include two zero days staying actively exploited in the wild.
Just one of these is CVE-2023-23397, a critical elevation of privilege bug in Outlook with a CVSS rating of 9.8.
“The attack can be executed with out any consumer interaction by sending a specially crafted email which triggers automatically when retrieved by the email server. This can direct to exploitation in advance of the email is even considered in the Preview Pane,” defined Action1 VP of vulnerability and menace investigate, Mike Walters.
“If exploited effectively, an attacker can access a user’s Net-NTLMv2 hash, which can be used to execute a pass-the-hash attack on yet another service and authenticate as the user.”
The bug was noted by the Personal computer Crisis Response Team for Ukraine (CERT-UA), hinting that it was staying actively exploited by Russian danger actors.
Read through far more about Russia’s cyber-offensive in Ukraine: Microsoft: Russia Has Launched Hundreds of Cyber Functions in Ukraine
The second zero working day, CVE-2023-24880, is a security attribute bypass in Windows SmartScreen.
It permits attackers to craft a malicious file capable of circumventing Mark-of-the-Web (MOTW) defenses in characteristics like Protected View in Place of work, according to Microsoft.
“This CVE has an effect on all at this time supported versions of the Windows OS,” explained Ivanti VP of security products, Chris Goettl. “The CVSS score is only 5.4, which may prevent notice by several businesses and on its individual this CVE may not be all that threatening, but it was likely used in an attack chain with added exploits. Prioritizing this month’s OS update would lessen the risk to your business.”
Of the nine critical CVEs stated this month, CVE-2023-21708 need to also be a precedence for security groups, argued Gal Sadeh, head of information and security analysis at Silverfort. It refers to a remote code execution bug in Remote Technique Contact Runtime that enables unauthenticated attackers to run distant commands on a goal equipment.
“Threat actors could use this to attack area controllers, which are open up by default,” he included. “To mitigate, we suggest area controllers only permit RPC from licensed networks and RPC website traffic to needless endpoints and servers is minimal.”
Some components of this post are sourced from: