Alex - stock.adobe.com
Microsoft stops two zero-days for March Patch Tuesday
The company corrects actively exploited vulnerabilities that affected Microsoft Outlook and the Windows OS in this month's batch of security updates.
Microsoft plugged two zero-days, one affecting Windows systems and another in Microsoft Outlook, for March Patch Tuesday.
In total Microsoft addressed 84 unique CVEs, although four were re-releases. Nine CVEs were rated critical. Most of the security updates affect the Windows operating system; applying the cumulative update will resolve the brunt of this month's vulnerabilities. Administrators whose environments depend on stability with printing will want to brace themselves for testing that functionality due to the 20 security updates for printer drivers this month.
Windows zero-day, Outlook zero-day resolved
The Windows zero-day is a SmartScreen security feature bypass vulnerability (CVE-2023-24880) rated moderate for Windows desktop and server systems. Microsoft reported this bug was also publicly disclosed. This flaw has a CVSS rating of 5.4 and requires user interaction to trigger the vulnerability.
Mark of the Web (MOTW) is a Windows security feature that tags content copied from an untrusted source, such as the internet. Microsoft's CVE notes state that when the user tries to run a file, the SmartScreen feature checks the file for a zone identifier Alternate Data Stream. Files downloaded from the internet get a ZoneID=3 designation, which triggers a reputation check in SmartScreen. An attacker could build a malicious file to avoid the MOTW system and other protections, such as Protected View in Microsoft Office.
The low CVSS rating and severity level indicate this bug by itself is not a major threat. But it could be the final piece a threat actor needs to build an attack chain consisting of several vulnerabilities to overtake a targeted system.
The second zero-day is a Microsoft Outlook elevation-of-privilege vulnerability (CVE-2023-23397) rated critical with a CVSS rating of 9.8. This flaw affects several Outlook versions, including Microsoft 365 Apps for Enterprise systems, and does not rely on the Outlook preview pane as an attack vector.
"The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the email server," Microsoft wrote in its CVE notes.
Microsoft recommended blocking TCP 445/SMB outbound from the organization's network and adding users to the Active Directory security group named Protected Users to prevent credential theft via NTLM relay attacks.
"There's more guidance in the CVE that people should investigate to see if they can lock things down even tighter in their environments," said Chris Goettl, Ivanti vice president of security product management. "Organizations that still rely on NTLM authentication for certain applications might not be able to fully implement this type of functionality to mitigate the threats more effectively."
Goettl said this vulnerability is more likely to affect companies that rely on older applications that they haven't been able to modernize rather than enterprises that have moved on to SaaS applications.
The other publicly disclosed vulnerability is a curl remote-code execution flaw (CVE-2022-43552) that affects several Microsoft products, including Windows server and desktop systems, and 2.0 of CBL-Mariner, a Linux operating system Microsoft developed for its cloud and edge products. Curl is a command-line tool used to send data with different network protocols.
Microsoft released the CVE on Feb. 9. The update for March Patch Tuesday indicated Microsoft found more affected Windows versions, and a new curl library in an upcoming security release would resolve the flaw.
Microsoft corrects 20 printer driver issues
March Patch Tuesday plugged 20 vulnerabilities in the Microsoft PostScript and PCL6 Class printer driver: ten were for remote-code execution flaws, nine for information disclosure bugs and one for elevation of privilege.
Many in IT have lingering trauma from both patching systems affected by the PrintNightmare vulnerability in July 2021 and then dealing with the difficulties that arose from more stringent controls on printer driver installation. Due to the high volume of fixes, administrators should set aside ample time to test printing on affected devices.
"Any time we see that many print driver or print spooler changes, there's a high chance that there will be some impact on printer behavior," Goettl said.
Other security updates of note for March Patch Tuesday
An Internet Control Message Protocol (ICMP) remote-code execution vulnerability, rated critical for Windows Server and desktop systems, has the highest CVSS rating this month with 9.8. This flaw, which relates to an error-reporting protocol, does not require privileges or user interaction for an attacker on the network to exploit the vulnerability.
Microsoft included four CVEs that originated from GitHub with its March Patch Tuesday vulnerabilities list. The vulnerabilities (CVE-2023-22490, CVE-2023-22743, CVE-2023-23618 and CVE-2023-23946) are rated important and relate to flaws in the Git revision control system incorporated in Visual Studio. Deploying patches for Microsoft's integrated development environment typically fall outside the purview of the systems administrator and require cooperation between multiple groups to keep vulnerabilities from falling through the cracks.
"The development teams and operations teams need to be included in your vulnerability management program to ensure the development stack and CI/CD pipeline are updated throughout your organization," Goettl said.