On Tuesday, Microsoft released the cumulative security update for March 2023, which was called (Patch Tuesday) because the company used to release it on Tuesday in the middle of every month.
In this month patch, the US tech giant has patched a total of 83 vulnerabilities, including: 9 critical vulnerabilities and 2 detected vulnerabilities that were actively exploited.
Microsoft said it fixed 21 permissions issues, 2 security feature bypass exploits, 27 remote code execution vulnerabilities, 4 denial of service vulnerabilities, 10 impersonation vulnerabilities, and a browser edge vulnerability.
But perhaps the most important fixes introduced by Microsoft related to two previously undisclosed vulnerabilities that were discovered and exploited without victims knowing how to circumvent them.
The vulnerabilities discovered in March 2023 include CVE-2023-23397 in Outlook that allows privilege elevation and CVE-2023-24880 in the Windows SmartScreen Service that allows security bypass.
Using an Outlook file, the attacker sends an email that forces the target computer to connect to a remote URL and transmit the Net-NTLMv2 hash of the Windows account.
Microsoft has stated that an external attacker can only send an email that was created with the specific purpose of obtaining a connection from the victim to an external UNC location controlled by the attacker.
The company added that this passes the victim's Net-NTLMv2 hash to the attacker, who can then forward it to another service and authenticate it as the victim. The company added that a threat actor named Strontium is abusing the vulnerability.
Another vulnerability exposed in Windows SmartScreen allows hackers to bypass Windows Mark of the Web warnings. Once you download a file from the Internet, it is flagged as potentially harmful.
An attacker could create a malicious file to bypass the Web-Tagging (MOTW) defenses, resulting in a limited loss of integrity and availability of security features, such as: for example: (Protected View) Microsoft Office in (Microsoft Office), based on the MOTW banner. ".