Microsoft March 2023 Patch Tuesday fixes 2 zero-days, 83 flaws

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Today is Microsoft's March 2023 Patch Tuesday, and security updates fix two actively exploited zero-day vulnerabilities and a total of 83 flaws.

Nine vulnerabilities have been classified as 'Critical' for allowing remote code execution, denial of service, or elevation of privileges attacks.

The number of bugs in each vulnerability category is listed below:
  • 21 Elevation of Privilege Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 27 Remote Code Execution Vulnerabilities
  • 15 Information Disclosure Vulnerabilities
  • 4 Denial of Service Vulnerabilities
  • 10 Spoofing Vulnerabilities
  • 1 Edge - Chromium Vulnerability
This count does not include twenty-one Microsoft Edge vulnerabilities fixed yesterday.

Two zero-days fixed​

This month's Patch Tuesday fixes two zero-day vulnerabilities actively exploited in attacks.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The two actively exploited zero-day vulnerabilities fixed in today's updates are:

CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability

Microsoft has fixed a Microsoft Outlook privilege elevation bug that allows specially crafted emails to force a target's device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash.

"External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.," reads Microsoft's advisory.

Microsoft warns that this flaw will be triggered before it is read in the preview pane as the vulnerability "triggers automatically when it is retrieved and processed by the email server."

This vulnerability was disclosed by CERT-UA, Microsoft Incident, Microsoft Threat Intelligence (MSTI).

CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability

Microsoft has fixed an actively exploited zero-day vulnerability in Windows SmartScreen that was previously exploited to distribute and install malware.

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," reads Microsoft's advisory.

When exploited, the malicious file can run without triggering a Mark of the Web (MoTW) security warning.

This vulnerability was disclosed by Benoît Sevens and Vlad Stolyarov of Google’s Threat Analysis Group and Bill Demirkapi of Microsoft.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
The March 2023 Security Update Review
Happy Pi Day, and welcome to the third patch Tuesday of 2023 and the final patch Tuesday before Pwn2Own Vancouver. Take a break from your regularly scheduled activities and join us as we review the details of the latest security offerings from Microsoft and Adobe.

Adobe Patches for March 2023

For March, Adobe released eight patches addressing 105 CVEs in Adobe Photoshop, Experience Manager, Dimension, Commerce, Substance 3D Stager, Cloud Desktop Application, and Illustrator. A total of 77 of these bugs were reported through the ZDI program. This is the largest Adobe update in quite some time. The patch for Cold Fusion is listed as under active exploit. It fixes three bugs, including a Critical-rate code execution bug that rates a CVSS 9.8. This patch receives a deployment priority of 1 from Adobe as well.

The patch for Dimension is the largest of the bunch, with nearly 60 CVEs addressed by that patch alone. The update for Substance 3D Stager is also heft with 16 bugs fixed, many of which could lead to arbitrary code execution. The Experience Manager patch fixes 18 bugs including several cross-site scripting (XSS) and open redirects.

The patch for Commerce includes a fix for an unauthenticated file system read. If you’re using the platform, a disclosure like this could prove costly. The updates for Photoshop and Illustrator address many open-and-own bugs that could lead to code execution at the level of the current user. The patch for Creative Cloud fixes a single, Critical-rated code execution bug.

None of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. With the exception of Cold Fusion, Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for March 2023

This month, Microsoft released 74 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Edge (Chromium-based); Microsoft Dynamics; Visual Studio; and Azure. This is in addition to four Github and two TPM CVEs that were previously released and are now being shipped for Microsoft products. Two of these CVEs were submitted through the ZDI program.

Of the patches released today, six are rated Critical and 67 are rated Important, and one is rated Moderate in severity. This volume seems to be the “new normal” for Microsoft releases. However, like we saw last month, remote code execution (RCE) bugs continue to dominate the release.

Two of the new CVEs are listed as under active attack at the time of release with one of those also being listed as publicly known.

Microsoft Windows Security Updates March 2023: What you need to know before installation
Here is the Excel spreadsheet for the security updates that Microsoft released on the March 2023 Patch Day. A click on the following link downloads the archive to the local system: Microsoft Windows security updates march 2023

Executive Summary​

  • Microsoft released security updates for all supported client and server versions of Windows.
  • Security updates are also available for Azure, Microsoft Office, Microsoft Edge, Microsoft printer drivers, Visual Studio, and other company products.
  • The following Windows client version have known issues: Windows 10, version 1809, version 20H2, 21H1 and 22H2, Windows 11 version 22H2.
  • The following Windows server versions have known issues: Windows Server 2008, 2008 R2, 2012, Windows Server 2019, and Windows Server 2022.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
fwiw, I ran today's win update in VMware 16.2.5 with win10 22H2 Guest OS running MS Defender and H_C. After the download, the reboot balked in VMw and it powered OFF Guest vm. So I calmly closed VMw and then rebooted the machine win10 host, and I got a popup warning from MS that irregular shutdown, unfortunately I did not get the exact verbiage. But good news for me, that eventually VMw worked it out with the Guest & win10_vm updated itself and it seems ok. Not sure what the snafu was today.
 
F

ForgottenSeer 98186

Microsoft Windows Security Updates March 2023: What you need to know before installation

The following Windows server versions have known issues: Windows Server 2008, 2008 R2, 2012
You would not believe the number of companies and organizations that still run Server 2008 and 2012 (especially) - many fully unpatched.

fwiw, I ran today's win update in VMware 16.2.5 with win10 22H2 Guest OS running MS Defender and H_C. After the download, the reboot balked in VMw and it powered OFF Guest vm. So I calmly closed VMw and then rebooted the machine win10 host, and I got a popup warning from MS that irregular shutdown, unfortunately I did not get the exact verbiage. But good news for me, that eventually VMw worked it out with the Guest & win10_vm updated itself and it seems ok. Not sure what the snafu was today.
On two systems today the updates proceeded without incident, but you know, there will be a laundry list of issues published in the coming days - just like most any Windows update.

Windows updates go great on nice, tidy systems that are well-maintained. In enterprise and unmanaged home user systems that have not been clean-installed in a long time, or have lots of software with long histories of install\uninstalls - that's where Windows updates wreak their havoc.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
On two systems today the updates proceeded without incident, but you know, there will be a laundry list of issues published in the coming days - just like most any Windows update.

Windows updates go great on nice, tidy systems that are well-maintained. In enterprise and unmanaged home user systems that have not been clean-installed in a long time, or have lots of software with long histories of install\uninstalls - that's where Windows updates wreak their havoc.
fwiw2: yesterday's win10 updates installed ok on my win10 Host. I'm going to wait a few days before updating other vm here.
 
F

ForgottenSeer 98186

fwiw2: yesterday's win10 updates installed ok on my win10 Host. I'm going to wait a few days before updating other vm here.
I only searched for the Windows 11 versions of the updates. You will get the same amount of issues reported by users for the Windows 10 updates.

Example:


Issues happen to users after every update. The issues are worse in an enterprise environment.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top