The Outlook vulnerability (CVE-2023-23397) affects all versions of Microsoft Outlook from 2013 to the latest. Microsoft said it has seen evidence that attackers are exploiting this flaw, which can be done without user interaction by sending an email caught in garbage that is automatically triggered when it is retrieved by the email server – before the email even appears in the preview pane.
While CVE-2023-23397 is labeled as an “Elevation of Privilege” vulnerability, that label does not accurately reflect its severity, said Kevin Breendirector of cyber threat research at Immersive Labs.
Known as an NTLM relay attack, it allows an attacker to obtain someone’s NTLM hash (Windows account password) and use it in an attack commonly referred to as “Pass The Hash”.
“The vulnerability effectively lets the attacker authenticate as a trusted person without needing to know the person’s password,” Breen said. “This is on par with an attacker having a valid password accessing an organization’s systems.”
Security company Fast 7 points out that this bug affects self-hosted versions of Outlook which Microsoft 365 Apps for businessesbut Microsoft-hosted online services such as Microsoft 365 is does not vulnerable.
The other zero-day flaw actively exploited in the wild – CVE-2023-24800 – is a “security feature bypass” in Windows SmartScreenpart of Microsoft’s list of endpoint protection tools.
Patch management provider Action 1 notes that exploiting this bug is low in complexity and requires no special privileges. But it requires some user interaction and cannot be used to access private information or privileges. However, the flaw may allow other malicious code to run undetected by SmartScreen reputation checks.
Dustin Childshead of threat awareness at Trend Micro’s Zero Day Initiativesaid CVE-2023-24800 allows attackers to create files that would bypass Mark of the Web (MOTW) defenses.
“Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen,” said Childs.
Seven other vulnerabilities that Microsoft patched this week received its most severe “critical” severity rating, meaning the updates address security holes that could be exploited to give an attacker full remote control over a Windows host with little or no user interaction.
Also this week, Adobe released eight patches that address a total of 105 security holes across a number of products, including Adobe Photoshop, Cold Fusion, Experience leader, Dimension, Trade, Magento, Fabric 3D Stager, Cloud Desktop applicationn, and Illustrator.
For a more detailed overview of the updates released today, see the SANS Internet Storm Center overview. If today’s updates cause stability or usability issues in Windows, AskWoody.com will likely take the brunt of it.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to drop in the comments if you experience any problems as a result of these patches.