Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.
The Outlook vulnerability (CVE-2023-23397) affects all versions of Microsoft Outlook from 2013 to the newest. Microsoft said it has seen evidence that attackers are exploiting this flaw, which can be done without any user interaction by sending a booby-trapped email that triggers automatically when retrieved by the email server — before the email is even viewed in the Preview Pane.
While CVE-2023-23397 is labeled as an “Elevation of Privilege” vulnerability, that label doesn’t accurately reflect its severity, said Kevin Breen, director of cyber threat research at Immersive Labs.
Known as an NTLM relay attack, it allows an attacker to get someone’s NTLM hash [Windows account password] and use it in an attack commonly referred to as “Pass The Hash.”
“The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password,” Breen said. “This is on par with an attacker having a valid password with access to an organization’s systems.”
Security firm Rapid7 points out that this bug affects self-hosted versions of Outlook like Microsoft 365 Apps for Enterprise, but Microsoft-hosted online services like Microsoft 365 are not vulnerable.
The other zero-day flaw being actively exploited in the wild — CVE-2023-24880 — is a “Security Feature Bypass” in Windows SmartScreen, part of Microsoft’s slate of endpoint protection tools.
Patch management vendor Action1 notes that the exploit for this bug is low in complexity and requires no special privileges. But it does require some user interaction, and can’t be used to gain access to private information or privileges. However, the flaw can allow other malicious code to run without being detected by SmartScreen reputation checks.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said CVE-2023-24880 allows attackers to create files that would bypass Mark of the Web (MOTW) defenses.
“Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen,” Childs said.
Seven other vulnerabilities Microsoft patched this week earned its most-dire “critical” severity label, meaning the updates address security holes that could be exploited to give the attacker full, remote control over a Windows host with little or no interaction from the user.
Also this week, Adobe released eight patches addressing a whopping 105 security holes across a variety of products, including Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator.
For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.
Although not explicitly stated, I’m assuming that the scary bug discussed at the start of the post (CVE-2023-23397) would not affect Outlook that is based on a single PC, i.e., Outlook 2016 rather than the subscription/cloud-based version Outlook 365. Is that correct? (I’ve already installed the latest MS security update, so either way I’m probably OK.)
It does affect
Hi Mike, according to the updates list for CVE-2023-23397 (source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397), the bug discussed affects all versions of MS Outlook from 2013 onwards, including Outlook 2016. Therefore, it’s important to stay vigilant and keep your software updated. It’s great to hear that you’ve already installed the latest MS security update – well done!
I use hotmail from a Mac, does this affect me? Obviously I can’t patch my non-windows computer. Does/will Microsoft fix this ‘globally’? i.e. I don’t have to do anything? I’m migrating to gmail, but still use hotmail somewhat. Thanks
“Security firm Rapid7 points out that this bug affects self-hosted versions of Outlook like Microsoft 365 Apps for Enterprise, but Microsoft-hosted online services like Microsoft 365 are not vulnerable.”
Somebody knows but it’s *likely?
The vulnerability discussed in the post (CVE-2023-23397) affects only Windows versions of Microsoft Outlook, so you don’t have to worry about it affecting your Mac or your Hotmail account. Microsoft has released a global fix for the vulnerability affecting Windows users, so you don’t have to take any further action. However, it’s still important to keep your Mac updated with the latest security patches to stay protected against other potential threats. The Mac version of the Microsoft Office patch includes fixes for the Windows Graphics Component Elevation of Privilege Vulnerability (CVE-2023-24910) and a fix for the Microsoft Excel Remote Code Execution Vulnerability (CVE-2023-23399). I hope this helps!
@MikeMiller – Actually, I believe it would be affected. It was stated that all supported versions of Outlook for Windows were affected as they utilize NTLM, but NOT Outlook on the web or O365\Microsoft 365 as they do not utilize NTLM. At least, that was my understanding of the vuln….
Find it rather irritating that office doesn’t seem to get updated with win updates. I seem to constantly have to open up office and manually kick off an check for updates to get them even after running windows update.
@BaronWoodenShoes
Do you have the option ticked to “Receive updates for other Windows products”?
It’s top of the list under “Advanced Options” for Windows Update.
Hello Baron,
We find ourselves in the same boat.
I found a setting in M365 admin center that says office receives updates automatically, but there’s no way of knowing EXACTLY WHEN that is…
Two days later I did not have the update, so I also manually updated it…
There must be a way to force it…
I got careless. Instead of postponing Windows updates for at least a few days as I usually do — to check for reports that they might cause problems — this time I just went ahead and let the updates happen. And therein lay disaster. On restart (this is a Dell Inspiron running Win 11, btw), my screen was blinking on and off, and I could do nothing. I would have tried a system restore, but there was no way to access it. Nothing worked at all; couldn’t even open the start menu. Couldn’t even shut down or restart in the usual ways, though I found workarounds.
I got a partial solution by using a USB drive to launch Dell Support Assist, which restored my system way back to November of last year. Except it didn’t get everything to work correctly. I could now open my Word and Excel files, but not my many Notepad files. I tried to do a system restore, but of course all my restore points had been obliterated by Dell Support Assist when it took me back to last November. The computer kept saying it couldn’t find the Notepad files, even though I could clearly see them in File Explorer. Also, the start menu still wouldn’t open, which made it difficult, though not impossible, to find and open certain files. Windows search was completely kaput as well, including in File Explorer. The Windows start button was worthless, too, which, again, made many things difficult but not quite impossible; I found workarounds.
Today I took my laptop to my favorite computer shop, which can usually handle just about anything. They managed to get the start menu working again, and search, but I still can’t open my Notepad files. They say they’re going to have to reset the OS, which would take more time than I have at the moment. Tomorrow morning I’m leaving on a foreign trip, so I’m just going to have to live with the status quo until I get back.
This wasn’t a complete disaster, of course. Like all good Krebs readers, I know enough to have all my stuff backed up. But still, it’s a PITA.
Lesson learned: Don’t casually allow Windows updates, especially when a trip is coming up!
So… for the third month in a row I set a delay on the update. And… as I shutdown it went into the update! I wanted to backup some stuff, etc. BOOM! Looks like the update worked. BUT – what a bunch of crappola. What the F?
That is interesting I have mine set to not automatically update (not the pause) but it did also.
Wonder why I have clones of win7 in 2023.
I know very little about all these things but I thought I read somewhere that even if you have updates turned off that if Microsoft feels an update is critical it will still update. This sounds serious enough that it might explain your computer updating even though you have automatic updates turned off.
It got late. I just wanted to backup up stuff next morning before updating. GEEZ! Mother M’soft thought I should change my diapers right NOW because of their inabilty to develop stuff that passes any quality or security testing? Unfortunately, we’re stuck in this hell-of-a-mess we developed. Good, bad & ugly.
Yes. I’m one of the culprits that made some of this happen. We could do a lot better methinks. The money flows in funny ways.
I think you’re right. Thankfully no hiccups with this one and I did have time to do a backup as it prompted for the restart rather than automatically doing that also. Usually I prefer to wait a few days to hear if there are any catastrophic fails before I go ahead, but I guess HAL 9000 knows better than to listen to humans.
bleepingcomputer. com/news/security/microsoft-support-cracks-windows-for-customer-after-activation-fails/
Confidence Level : impacted
This is not related to March Patch Tuesday. That said, it is true. Some of the MS ‘official’ support affiliates will resort to unconventional measures to get an install accomplished. I had a similar experience once.
Ref’s to CVE-2023-24800 above should be corrected to CVE-2023-24880
Whoops. Thanks!
Our biggest civilization crash will not come from climate change. Windows will do us worse.
Does anyone know if 22H2 (Win10) downloaded and installed today (3/16/23) addresses CVE-2023-23397?
Based on Microsoft’s statement about the latest 22H2 update for Windows 10, it appears that it does not include the specific updates addressing CVE-2023-23397 that you mentioned. The statement reads: “It includes all features and fixes in previous cumulative updates to Windows 11, version 21H2, the original Windows 11 release version.” Therefore, it’s recommended that you install the latest updates separately to ensure that your system is fully protected against this vulnerability. I hope this helps!
Does the Outlook exploit affect Mac versions of the mail client? I have not seen any mention/guidance on this, but want to be sure I am not missing any risk vectors.
I don’t see any Mac versions listed as affected currently:
https://krebsonsecurity.com/wp-content/uploads/2023/03/23397screen.png
Bk
How to automatically install Microsoft Windows security patches? I hope everyone will be safe now but I think that Microsoft should consider security first, these big companies are making money but they have risk, vulnerabilities.
Internet explorer unistall tool release is delayed the deployment of AI chat gpt on bing.
I got this error on my windows 11 system 64 bit system:
vcruntime140.dll not found
trying to open a .doc or .docx file using libre writer (part of libre office, the free software that replaces windows office)
after doing the patch tuesday (march 2023) updates.
The fix was to install Microsoft Visual c++ 2015-2022
I downloaded file: VC_redist.x64.exe from microsoft and ran the downloaded file.
Got the file here:
https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170
For people running a small network at home be done with this and turn off updates and forget about it. It’s update impossible forever.
Sure thing, Russia.
Following the link in the Microsoft page to the page where we can download the actual fix, it states that the system requirements for the fix are “Windows Server 2012 R2, Windows Server 2016, Windows Server 2012, Windows 8.1, Windows 10”.
There is no mention of Windows 11, does anyone know if the fix will still work for Win11?