That list of bugs that should be prioritized includes two remote code execution vulnerabilities in Microsoft Exchange Server, an elevation of privilege bug in Microsoft SharePoint, a trio of remote code execution flaws in Windows Pragmatic General Multicast, and a handful of others.

Based on input from security researchers from Zero Day Initiative (ZD), Tenable, Immersive Labs and others, here is a look at the vulnerabilities that warrant more attention for the June 2023 Patch Tuesday release.

CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability

If this looks familiar, you aren’t alone. Microsoft has issued fixes for a number of Exchange Server remote code execution bugs in recent years, and this one is a bypass of fixes for CVE-2022-41082 and CVE-2023-21529, with the latter listed as being under active exploitation.

This vulnerability exists within the Command class, and the issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. This bug requires the attacker to have an account on the Exchange server, but successful exploitation could lead to executing code with SYSTEM privileges.

CVE-2023-28310  – Microsoft Exchange Server Remote Code Execution Vulnerability

This is the other Exchange RCE bug listed this month, and like its twin this month, is rated as important but considered more likely to be exploited. This also requires an attacker to be authenticated, so an attacker will need valid credentials.

According to researchers, both Exchange Server bugs closely mirror the vulnerabilities identified as part of the ProxyNotShell exploits. Successful exploitation could result in an attacker gaining access to an organization’s email account, or even the ability to impersonate any user.

Since attackers are adept at stealing valid credentials via phishing attacks, these should not be ignored.

CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability

According to researchers, this critical-rated vulnerability is used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft lists enabling the AMSI feature to mitigate this flaw, but organizations are still urged to deploy the update as soon as possible.

Exploitation is achieved by sending a spoofed JWT authentication token to a vulnerable server, giving them privileged of an authenticated user on the target, researchers say.

CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

This trio of vulnerabilities, all critical-rated, allow a remote, unauthenticated attacker to execute code on an affected system where the messag queuing service s running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row that Microsoft has patched a critical-rated bug in this component.

For successful exploitation, a system must have message querying services enabled.

For further June 2023 Patch Tuesday analysis, consult research blogs from Zero Day Initiative, Tenable, Immersive Labs and others.

The post June 2023 Patch Tuesday: Exchange Server, SharePoint, PGM appeared first on My TechDecisions.

IT administrators have a relatively easy May 2023 Patch Tuesday as Microsoft has released fixes for just 38 vulnerabilities in the company’s software products, however two are listed as being actively exploited. This is a very low security update count coming out of Redmond, Wash. with Microsoft issuing fixes for nearly half of the security bugs it fixed last May.

According to researchers, this month’s Patch Tuesday is Microsoft’s lowest volume since August 2021. However, there are still several bugs that should be addressed quickly. That’s where Chris Goettl offers his advice and expert opinion to help admins prioritize the more dangerous vulnerabilities and keep their organization insulated from cyberattacks.

Chris dives into detail on these vulnerabilities, as well as other topics:

• CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability (actively exploited)
• CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability (actively exploited)
• CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability
• CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability
• CVE-2023-24955 – Microsoft SharePoint Server Remote Code Execution Vulnerability

Read our previous Patch Tuesday coverage!

The post My TechDecisions Podcast Episode 194: May 2023 Patch Tuesday appeared first on My TechDecisions.

This is a very low security update count coming out of Redmond, Wash. with Microsoft issuing fixes for nearly half of the security bugs it fixed last May.

According to Zero Day Initiative, this month’s Patch Tuesday is Microsoft’s lowest volume since August 2021. However, there are still several bugs that should be addressed quickly, including seven rated critical and 31 rated important.

May 2023 Patch Tuesday bugs that IT departments should prioritize

CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability

This bug is listed as under active attack this month and is a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges, according to Microsoft. Privilege escalation bugs are typically combined with code execution for other malicious purposes, but Microsoft offers no further details on these attacks or how widespread they are.

According to Satnam Narang, a senior staff research engineer at vulnerability management firm Tenable, this is the fifth month in a row that an elevation of privilege bug was exploited in the wild, and the fourth such vulnerability in Win32k.

CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability

This is the other bug listed as being publicly exploited. According to Microsoft, an attacker would need physical access or administrative rights to a target deice to install an affected boot policy and bypass Secure Boot. Successful exploitation would require an attacker to compromise an administrator’s credential on the device.

The vulnerability appears to be related from an ESET report in March regarding BlackLotus, a Unified Extensible Firmware (UEFI) Interface bootkit that cybercriminals have been using since October 2022 and can be purchased for $5,000 on hacking forums, according to Narang.

ESET said in its March report that the bootkit was capable of bypassing the UEFI Secure Boot security feature on fully patched systems.

Read our previous Patch Tuesday coverage!

CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability

This publicly disclosed vulnerability allows an attacker to execute code on an affected system by sending a specially crafted RTF email. According to Zero Day Initiative (ZDI), the real component to worry about for this vulnerability is Outlook, as the Preview Pane is an attack vector, so a user doesn’t need to read the crafted message for an attack to be successful. While Outlook is the most likely vector, other Office applications are also impacted.

According to Microsoft, an email attack scenario would include an attacker sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email . This could result in the attacker executing remote code on the victim’s machine.

For a workaround, Microsoft recommends users read email messages in plain text format, but admins should just test and deploy this patch.

 CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability

According to Microsoft, this vulnerability can be exploited over the network by making an unauthenticated, specially crafted call to a Network File System service to trigger a remote code execution. The bug gets a CVSS score of 9.8, probably because no user interaction is required.

ZDI notes that the vulnerability exists in NFS version 4.1, but not versions NFSv2.0 or NFSv3.0.

Organizations can mitigate this bug by downgrading to a previous version, but admins should only do so if they installed the CVE-2022-26937 patch from last May.

CVE-2023-24955 – Microsoft SharePoint Server Remote Code Execution Vulnerability

According to ZDI, this vulnerability was demonstrated by the STAR Labs team during Pwn2Own Vancouver and was part of a chain used to obtain code execution on the target server. It was combined with an authentication bypass during the contest, but requires authentication.

This is also one of three SharePoint bugs patched this month, including an information disclosure vulnerability and a spoofing flaw.

The post May 2023 Patch Tuesday: Two Vulnerabilities Under Active Attack appeared first on My TechDecisions.

How Cycode ASOC Works

Acting as a management layer between application development and security testing, Cycode ASOC automatically discovers tooling across the software development life cycle (SDLC) and analyzes and correlates the tools’ data, identifying vulnerabilities across different modules. When a vulnerability appears more than once, Cycode ASOC automatically deduplicates it while also aggregating the remaining unique results into one centralized location.

Listen:  My TechDecisions Podcast Episode 193: April 2023 Patch Tuesday

In the centralized location, the vulnerabilities are prioritized by level of risk to help with remediation. By reducing the noise, this automated process allows security teams to focus on fewer issues that are of the highest priority. This in turn, increases the effectiveness of security teams and reduces alert fatigue, says the company.

Benefits for Security Teams

Cycode ASOC provides:

• Automated tool discovery – automatically discover tooling starting with the SCM, the foundation of DevOps infrastructure
• Pipeline security posture – gain visibility into pipeline and tool configurations, including which security tools are used in each phase of the development process
• Comprehensive prioritization – ingest data and prioritize vulnerabilities from third-party solutions

“Security teams are struggling to protect their development infrastructure because they lack visibility into the many tools used in modern software delivery pipelines such as cloud platforms, serverless, SaaS and other ephemeral services,” said Ronen Slavin, co-founder and CTO of Cycode, in a statement. “Even software teams that build and use pipelines may not be aware of all the tools in use and how they are configured. This limited visibility creates huge blind spots in the security program, forcing security teams to waste resources trying to understand and secure pipelines, and prevents consistent management of security risks.”

Cycode will be at the RSA Conference 2023 and will be demonstrating its ASOC feature at booth #6471 from Monday, April 24 through Thursday, April 27, 2023, at the Moscone Center in San Francisco, Calif.

The post Cycode Launches Application Security Orchestration and Correlation appeared first on My TechDecisions.

However, those systems are typically located on Earth. Imagine trying to patch a system on an entirely different planet.

That’s apparently what NASA just did, sending a major software update more than 150 million miles away to the Curiosity rover designed to enable the wheeled robot to drive faster and reduce wear and tear on its wheels that it has endured for over a decade.

In addition, NASA made about 180 other changes in the update, which required Curiosity to essentially be shut down between April 3 and April 7, the space agency says in a press release. This is the equivalent of upgrading a Windows 10 device to Windows 11, albeit from a different planet.

While Microsoft, Google and other tech giants spend a considerable amount of time preparing updates and rolling them out, NASA took nine years to develop and send out this update to Curiosity, with the last update going back to 2016.

Other changes include making corrections to the messages the rover sent back to Earth and simplifications to computer code that had been altered by previous patches.

Software update to help navigate Mars terrain

According to NASA, Curiosity can now do more of what it calls “thinking while driving” – performing in a more advanced way to navigate around rocks and sand traps. This is something that NASA’s newest Mars rover, Perseverance, does to help navigate the Mars terrain. Perseverance constantly snaps pictures of the terrain ahead, processing them with a dedicated computer so it can autonomously navigate during one continuous drive.

However, Curiosity isn’t equipped with a dedicated computer for that purpose, instead driving in segments and stopping to process imagery of the terrain after each segment. That results in many stops and starts over the course of a long drive.

The update will help Curiosity process images faster and spend more time on the move, according to NASA.

A new algorithm to protect Curiosity’s wheels

To reduce the wear and tear on the rover’s aluminum wheels which have been showing signs of broke treads since 2013, NASA included in the update a new algorithm designed to improve traction and reduce wheel wear by adjusting the rover’s speed depending on the rocks it’s rolling over.

The update also includes two new mobility commands that reduce the amount of steering the rove needs to do while driving in an arc toward a specific waypoint, helping to further preserve the life of the wheels.

The software update will also help the human controllers on Earth plan the rover’s movements and will make future software updates easier to deploy, according to NASA.

IT admins pushing out a major patch or update may cross their fingers, but doing so across 150 million miles of space is a bit more nerve-wracking, says Jonathan Denison, the rover’s engineering operations team chief, in a statement.

“The idea of hitting the install button was a little scary,” Denison says. “Despite all our testing, we never know exactly what will happen until the software is up there.”

The post NASA’s Curiosity Software Update Makes Patch Tuesday Seem Like a Breeze appeared first on My TechDecisions.

IT administrators in Microsoft environments have about 100 patches to apply for the April 2023 Patch Tuesday release, including one in Windows Common Log File System Driver that is being actively exploited and another one from 2013 that is being reissued.

The company released patches to fix 97 vulnerabilities in its products, which was in addition to three Edge bugs patches earlier this month. Of the new patches, 45 of them intend to fix remote code execution bugs.

The Microsoft patches are in addition to two zero days discovered in Apple products impacting Safari, macOS and iOS.

Listen to the podcast in the player below or on your favorite podcasting platform!

The post My TechDecisions Podcast Episode 193: April 2023 Patch Tuesday appeared first on My TechDecisions.

However, new research shows that some organizations are prioritizing defending against those trending, newsworthy threats at the expense of the threats actually facing their organization.

According to Mike DeNapoli, director of cybersecurity architecture at security posture management platform Cymulate, organizations are focusing on those headline-grabbing threats too often.

While staying current on new and emerging attack techniques is essential for any IT and security professional, organizations are doing so at the expense of the threats they are more likely to encounter on a daily basis, DeNapoli says.

Citing the company’s “2022 Cybersecurity Effectiveness Report,” DeNapoli says 40% of the exploits vulnerability managers are discovering are over two years old. New attacker tools and techniques such as AI-assisted polymorphic ransomware attacks should of course garner attention, but not at the expense of proven attack vectors.

“(Polymorphic ransomware) is not something we should be ignoring in any way, but at the same time, ProxyShell and ProxyNotShell vulnerabilities are still visible on Exchange Server,” DeNapoli says. “Attackers…are going to go for the low-hanging fruit when it’s available.”

What organizations are testing for vs. what is actually being exploited

According to Cymulate’s research, 40% of the top CVEs identified most by vulnerability management platforms were over two years old, and a significant number of organizations are not testing against more widely recognized threats such as those Exchange Server vulnerabilities and malware such as Emotet.

Other known vulnerabilities in organizations’ environments include poorly configured identity and access management and privileged access management, as well as reliance on legacy infrastructure.

However, the top 10 immediate threats simulated last year share many characteristics, including being carried out by known threat actors; using phishing, watering hole and supply chain attacks; using known attack tools; having a clear motive; and being highly sophisticated and evasive.

Another top characteristic is that they were all abundantly reported on in specialized and mainstream press.

According to Cymulate, the top 10 most tested threats include:

• Manjusaka: a cyber-attack framework of Chinese origin, likely created for criminal use, it includes Windows and Linux implants and a ready-made command and control server.
• Powerless Backdoor: a cyber threat popular among Iranian hackers, designed to avoid detection by PowerShell, and can download a browser info stealer, keylogger, encrypt and decrypt data, execute arbitrary commands, and kill processes.
• APT 41 targeting U.S. State Governments: a Chinese state-sponsored hacking group that has been targeting US state governments using various tools and techniques such as Acunetix, Nmap, and SQLmap, and attack methods like phishing, watering hole attacks, and supply-chain attacks.
• Lazarus Phishing Attack on DoD Industry: a phishing campaign carried out by the North Korean hacking group Lazarus, targeting job applicants in the US defense sector with malicious documents containing macros.
• Industroyer 2: An APT-style malware that specifically targets industrial control systems (ICS) and critical infrastructure. A spinoff of the 2016 attack on Ukraine power grid.
• Spring4Shell: Exploiting the Spring Framework vulnerability (CVE-2022-22965), it allows for remote code execution without authentication.
• Follina Office Attack: Weaponizing Microsoft vulnerability (CVE-2022-30190), it allows for remote code execution without authentication.
• Ransomexx: A ransomware-as-a-service (RaaS) model, financially motivated and believed to be related to the sprite Spider ransomware group based in Russia.
• Quantum Ransomware: One of the fastest cases of time-to-ransom ever observed with initial access to domain-wide ransomware in just 3 hours and 44 minutes. The initial access vector for this attack was an IcedID payload delivered via email.
• Mikubot: A new variant of bot malware that is being offered for sale in threat actor forums, written in C++ and works on Windows operating systems from Vista to Windows 11. The malware is standalone and is being sold for $1300 for 1.5 months of access or $2200 for a three-month subscription.

However, the company’s list of most detected vulnerabilities configured by vulnerability management tools includes bugs that keep making appearances in threat research, such as Exchange Server vulnerabilities, PrintNightmare, and others.

• CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability. Used in Follina attacks.
• CVE-2021-34527 – A remote code execution (RCE) vulnerability that allows threat actors to remotely inject DLLs. Used in conjunction with CVE-2021-1675 in PrintNightmare attacks
• CVE-2013-3900 – A WinVerifyTrust signature validation vulnerability that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.
• CVE-2022-2190 – Microsoft HTTP protocol stack remote code execution vulnerability
• CVE-2021-1675 – Allows an attacker with low access privileges to use a malicious DLL file to escalate privilege. Used in conjunction with CVE-2021-34527 in PrintNightmare Attacks.
• CVE-2021-31956 – Windows NTFS Elevation of Privilege Vulnerability
• CVE-2018-0798 – A Microsoft Office memory corruption vulnerability that allows remote code execution due to the way objects are handled in memory.
• CVE-2018-0802 – A Microsoft Office memory corruption vulnerability that allows remote code execution due to the way objects are handled in memory.
• CVE-2017-11882 – A Microsoft Office memory corruption vulnerability that allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory.
• CVE-2022-3786 – A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the character (decimal 46) on the stack and cause a denial of service.

Assess your environment first

When IT and security professionals see these new attacks making headlines, they should first assess whether they have the vulnerable assets in their environment, and if they would be a target of the threat actor, if one was identified.

According to DeNapoli, that means getting a handle on shadow IT and cloud sprawl, which is admittedly difficult to do.

“But, it’s necessary, because if there is something like a Log4J, you don’t know what is running within the environment and it becomes incredibly difficult to determine if you could be attacked by that type of technique,” DeNapoli says. “Having those sort of catalogs or inventories of what’s there and what could be a target is going to help a lot.”

However, organizations should not be ignoring the things that came before, as threat actors have proven that leveraging old vulnerabilities–some of which are more than a decade old–is still successful.

The U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog is a prime example of this issue, as 481 of the 914 vulnerabilities on the list are from before 2020.

“Nation-state actors are using this backlog to successfully attack organizations,” DeNapoli says. “Always compare what’s coming out in the news to what you’ve got running to determine if this is something you should deal with immediately, or if it can be put on the backburner in favor of something much more likely to happen.”

The post Is Your Organization Testing Against the Right Cyber Threats? appeared first on My TechDecisions.

The product has been available on the Download Center for man years and has been used to manage the password of a specific local administrator account by regularly rotating the password and backing it up to Active Directory (AD). Microsoft says LAPS has been an essential tool for AD enterprise security on premises.

Now, the tool is available for both cloud and on-premises environments. It will be part of Microsoft Entra and will shift from private to public preview later this quarter, Microsoft says, calling Windows LAPS a “huge improvement” in virtually every area beyond the legacy on-premises LAPS solution.

Windows LAPS will be natively ingegrated into following Windows editions:

• Windows 11 Pro, EDU and Enterprise
• Windows 10 Pro, EDU and Enterprise
• Windows Server 2022 and Windows Server Core 2022
• Windows Server 2019

According to Microsoft, the feature is ready to go out of the box and admins will no longer need to install an external MSI package. Fixes or feature updates will be delivered via the company’s normal patching processes.

In Azure AD environments, the private preview of LAPS can retrieve stored passwords via Microsoft Graph, create two new Graph permissions for retrieving only the password metadata or the sensitive cleartext password itself.

In addition, the Windows LAPS tool provides Azure role-based access control policies for password retrieval, supports Azure management portal for retrieving and rotating passwords, automatically rotates the password and allows management via Intune, the company says in a blog.

In addition to Azure AD features, Microsoft also updated the experience for on-premises Active Directory environments, including new password encryption, a password history feature, Directory Services Restore Mode password backups, emulation mode and automatic rotation.

For hybrid scenarios, Windows LAPS features policy management via both Group Policy and Configuration Services Provider, rotating the Windows LAPS account password in Intune, a dedicated event log, a new PowerShell module and hybrid-joined support.

Admins can begin using the new Windows LAPS with the April 2023 Patch Tuesday update, but the LAPS scenario in Azure AD is still in private preview and will shift to public later this quarter.

The post Microsoft Rolls Out Windows LAPS for On Prem, Cloud appeared first on My TechDecisions.

The company released patches to fix 97 vulnerabilities in its products, which was in addition to three Edge bugs patches earlier this month. Of the new patches, 45 of them intend to fix remote code execution bugs.

Let’s take a look at some of the more serious Microsoft bugs that IT admins should prioritize this month, in addition to others from Apple and Adobe, with information sourced from Microsoft, Zero Day Initiative (ZDI), Tenable, and others.

CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

Microsoft lists this bug as under active attack, and it was reported by threat intelligent firm Mandiant, so right away this patch is of elevated importance. Although only rated “important” by Microsoft with a CVSS of 7.2, Microsoft lists the attack complexity and privileges requires as low. The company says the bug could allow an attacker to gain SYSTEM privileges. The bug is similar to one patched in CLFS in February, which implies that the first patch wasn’t completely successful.

According to Satnam Narang, senior staff research engineer at vulnerability management firm Tenable, this is also the fourth CLFS elevation of privilege bug exploited in the last two years, dating back to April 2022.

CVE-2023-21554 – Microsoft Message Queuing Remote Code Execution Vulnerability

This is another very important bug to prioritize, as it receives a CVSS score of 9.8 and appears to be very easy to exploit, requiring no user interaction and a low attack complexity. According to Microsoft, a remote unauthenticated attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server, resulting in remote code execution on the server side. The Messaging Queue service is disabled by default, but many contact center applications use it.

According to ZDI, the service listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks.

CVE-2023-23384 – Microsoft SQL Server Remote Code Execution Vulnerability

This vulnerability was actually patched in February, but Microsoft is just now documenting the bug. According to ZDI, the patch fixes an out-of-bounds write bug in the SQLcmd tool, which could allow a remote, unauthenticated attacker to exploit code with elevated privileges. The CVSS is only 6.4, which ZDI says may be due to a high attack complexity. Organizations running SQL server should make sure they have both February and April updates installed.

CVE-2013-3900 – WinVerifyTrust Signature Validation Vulnerability

If you took a look at the CVE number and figured it was just a typo, you’d be wrong. Unfortunately, this decade-old vulnerability is being reissued, likely because it’s being exploited as part of the 3CX attacks. ZDU calls the 2013 patch an “opt-in” fix, meaning that admins had to choose to get the bug patched. The revised patch adds fixes for additional platforms and adds other recommendations for enterprises.

According to Microsoft, an anonymous attacker can exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This is especially dangerous for users with administrative rights.

Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an existing signed file to include malicious code without invalidating the signature. This code would execute in the context of the privilege in which the signed PE file was launched.

In an email attack scenario, an attacker could exploit this vulnerability by sending a user an email message containing the specially crafted PE file and convincing the user to open the file.

There is a lot of information to digest for this bug, so click on the CVE number in this subhead.

Apple Patches

In addition to Microsoft, Apple released fixes for two CVEs last week that were listed as under active attack, including CVE-2023-28205, a use-after-free bug in WebKit that impacts Safari, macOS and iOS. It can lead to code execution at the level of the logged-on user.

The first bug would need to be paired with a privilege escalation flaw to take over a system, and another bug patched by Apple this month does just that, according to ZDI. That bug, CVE-2023-28206, is a privilege escalation in the IOSurfaceAccelerator component in macOS and iOS.

Adobe Patches

Adobe released fixes for 56 vulnerabilities this month, including 16 in Reader alone that could lead to arbitrary code execution if a user is tricked into opening a specially crafted PDF.

The post April 2023 Patch Tuesday: CLFS Under Active Attack Again; 10-Year-Old Bug Reissued appeared first on My TechDecisions.

According to Narang, IT admins should largely be focusing on two vulnerabilities that are being exploited in the wild, including an Outlook spoofing bug discovered by Ukrainian researchers and a Windows SmartScreen security feature bypass flaw that is reportedly being used to deploy ransomware.

While Narang dives deeper into the bugs, here is some information about them:

CVE-2023-23397 – Microsoft Outlook Spoofing Vulnerability

This bug is getting a lot of attention from security researchers. The bug gets a CVSSv3 score of 9.8 and has been exploited in the wild, which makes this a top priority for IT and security admins this month.  The vulnerability is exploited by sending a malicious email to a vulnerable version of Outlook. When the server processes the email, a connection to an attacker-controlled device is established to leak the Net-NTLMv2 hash of the email recipient. This allows the attacker to use the hash to authenticate as the victim recipient in an NTLM relay attack.

What makes this even more interesting is that the discovery of this vulnerability is credited to the Computer Emergency Response Team of Ukraine and Microsoft researchers. Given what is currently happening in Ukraine, this bug could be significant.

CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability

This is the other vulnerability listed as under active attack, but it doesn’t appear to be as severe as the Outlook spoofing bug. This allows attackers to create files that can bypass Mark of the Web protections, rendering features like SmartScreen and Protected View in Microsoft Office useless and allowing threat actors to spread malware via crafted documents and other files.

This bug was discovered by Google’s Threat Analysis Group (TAG), which says ransomware groups are using the vulnerability to deliver the magniber ransomware without any security warnings.

Other notable bugs include an ICMP remote code execution vulnerability and an HTTP protocol state remote code execution bug.

Microsoft also released fixes for 74 other vulnerabilities, including 25 remote code execution bugs.

For more information on the March 2023 Patch Tuesday release, consult Microsoft’s Security Update Guide and analysis from Tenable.

The post My TechDecisions Podcast Episode 190: March 2023 Patch Tuesday appeared first on My TechDecisions.