Microsoft’s Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have arrive less than lively exploitation in the wild.
8 of the 80 bugs are rated Critical, 71 are rated Significant, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant mounted in its Chromium-based Edge browser in recent months.
The two vulnerabilities that have occur beneath energetic attack involve a Microsoft Outlook privilege escalation flaw (CVE-2023-23397, CVSS score: 9.8) and a Windows SmartScreen security aspect bypass (CVE-2023-24880, CVSS score: 5.1).
CVE-2023-23397 is “activated when an attacker sends a concept with an prolonged MAPI home with a UNC route to an SMB (TCP 445) share on a risk actor-managed server,” Microsoft mentioned in a standalone advisory.
A danger actor could leverage this flaw by sending a specifically crafted email, activating it immediately when it is retrieved and processed by the Outlook consumer for Windows. As a end result, this could guide to exploitation devoid of necessitating any user interaction and right before even the concept is considered in the Preview Pane.
Microsoft credited the Computer Emergency Response Group of Ukraine (CERT-UA) with reporting the flaw, including it is knowledgeable of “constrained targeted attacks” mounted by a Russia-based mostly threat actor against federal government, transportation, energy, and armed service sectors in Europe.
CVE-2023-24880, on the other hand, concerns a security bypass flaw that could be exploited to evade Mark-of-the-Web (MotW) protections when opening untrusted documents downloaded from the internet.
It is also the consequence of a slim patch unveiled by Microsoft to take care of one more SmartScreen bypass bug (CVE-2022-44698, CVSS rating: 5.4) that arrived to mild past calendar year and which was exploited by economically inspired actors to supply Magniber ransomware.
“Sellers often release narrow patches, producing an opportunity for attackers to iterate and uncover new variants,” Google Danger Evaluation Team (TAG) researcher Benoit Sevens mentioned in a report.
“Mainly because the root cause behind the SmartScreen security bypass was not resolved, the attackers had been equipped to immediately establish a distinctive variant of the unique bug.”
TAG said it noticed in excess of 100,000 downloads of malicious MSI documents signed with malformed Authenticode signature due to the fact January 2023, thus permitting the adversary to distribute Magniber ransomware devoid of elevating any security warnings. A majority of individuals downloads have been involved with customers in Europe.
The disclosure also arrives as the U.S. Cybersecurity and Infrastructure Security Company (CISA) extra the two flaws to the Regarded Exploited Vulnerabilities (KEV) catalog and introduced a new pilot program that aims to warn critical infrastructure entities about “vulnerabilities normally connected with identified ransomware exploitation.”
Also shut out by Microsoft are a range of critical remote code execution flaws impacting HTTP Protocol Stack (CVE-2023-23392, CVSS score: 9.8), Internet Manage Concept Protocol (CVE-2023-23415, CVSS score: 9.8), and Distant Treatment Phone Runtime (CVE-2023-21708, CVSS score: 9.8).
Other noteworthy mentions include things like patches for four privilege escalation bugs identified in the Windows Kernel, 10 distant code execution flaws affecting Microsoft PostScript and PCL6 Class Printer Driver, and a WebView2 spoofing vulnerability in the Edge browser.
WEBINARDiscover the Concealed Dangers of Third-Party SaaS Apps
Are you conscious of the pitfalls linked with 3rd-party application entry to your company’s SaaS applications? Sign up for our webinar to learn about the forms of permissions becoming granted and how to limit risk.
RESERVE YOUR SEAT
Somewhere else, Microsoft also shut out two details disclosure flaws in Microsoft OneDrive for Android, one spoofing vulnerability in Office environment for Android, a single security bypass bug in Microsoft OneDrive for iOS, and just one privilege escalation issue in OneDrive for macOS.
Rounding off the record are patches for two substantial-severity vulnerabilities in the Trusted Platform Module (TPM) 2. reference library specification (CVE-2023-1017 and CVE-2023-1018, CVSS scores: 8.8) that could guide to info disclosure or privilege escalation.
Software package Patches from Other Vendors
Aside from Microsoft, security updates have also been introduced by other vendors given that the start of the thirty day period to rectify various vulnerabilities, which include —
- Apache Jobs
- Aruba Networks
- Google Chrome
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- Mozilla Firefox, Firefox ESR, and Thunderbird
- Schneider Electrical
- Trend Micro
- Zoho, and
Uncovered this posting attention-grabbing? Observe us on Twitter and LinkedIn to read extra distinctive information we submit.
Some areas of this article are sourced from: