What happened now? Since 2003, Microsoft has used “Patch Tuesday” as an unofficial definition for the company’s monthly release of security patches for Windows and other software products. In March 2023, Redmond patched two nasty zero-day vulnerabilities that government-sponsored cybercriminals and ransomware were already exploiting in the wild.
Microsoft released the latest collection of security patches this week. Compared to February 2023, the latest batch of patches fixes an increasing number of vulnerabilities, including a couple of already exploited flaws.
Microsoft’s March Security Bulletin states that this release includes fixes for many Windows security components and features, Hyper-V virtualization technology, Visual Studio, Office programs, and more. The update should fix 83 security vulnerabilities in Windows and other Microsoft software products.
Nine of the 83 vulnerabilities were classified as “critical”, which means that hackers can use them for various attacks. Based on the type of error and the impact it has on Windows and other vulnerable software, the vulnerabilities are divided into the following categories: 21 privilege escalation vulnerabilities, 2 security feature bypass vulnerabilities, 27 remote code execution vulnerabilities, 15 information disclosure vulnerabilities, 4 failures. service vulnerabilities, 10 spoofing vulnerabilities, 1 Edge – Chromium vulnerability.
This list does not include 21 vulnerabilities that Microsoft had already patched in the Edge browser prior to the Patch Tuesday update. bleeding computer published a full report with a list of all closed bugs and related recommendations. The March patch included two fixes for zero-day bugs, which Microsoft confirmed were heavily exploited by hackers.
First Zero Day Bug – “Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)”. If successfully exploited, the vulnerability allows access to the user’s Net-NTLMv2 hash, which a hacker could use “as the basis for an NTLM Relay attack against another service to authenticate the user.” Email preview, because the server automatically triggers the vulnerability when it processes the message. Microsoft stated that the prominent Russian state-sponsored cyber group Strontium took advantage of CVE-2023-23397 prior to releasing a fix.
The second zero-day flaw is the “Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2023-24880)”. Microsoft explains that an attacker can exploit this bug by creating a malicious file that can bypass Mark of the Web (MOTW) protection in Microsoft Office’s Protected View feature. Google researchers found CVE-2023-24880, claiming hackers exploited it. using the Magniber ransomware, noting that it is related to a previous zero-day bug (CVE-2022-44698) that Microsoft fixed in December.
Microsoft distributed its latest updates through the official Windows Update service, update management systems such as WSUS, and as a direct (albeit bulk) download through the Microsoft Update Catalog. Other software companies releasing security updates in conjunction with Microsoft patches include Apple, Cisco, Google, Fortinet, SAP, and backup giant Veeam.