On Tuesday, Microsoft released a sizable number of software security updates and published advisories for two zero-day vulnerabilities that still threaten Windows OS users. The software giant from Redmond, Washington, released patches for at least 80 Windows problems and specifically mentioned CVE-2023-23397, a severe hole in Microsoft Outlook that has been used in zero-day assaults.
In keeping with tradition, Microsoft’s security response center did not offer any information or indications of compromise (IOCs) to aid defenders in their search for evidence of settlement. In order to assist defenders in looking for indicators of infection, Microsoft issued a detection script and attributed this exploitation to a Russian threat actor.
Indicating that it was being used in sophisticated APT assaults in Europe, the corporation gave credit for the discovery to the Ukrainian CERT organization and its own MSTI threat intelligence unit.
In a sparse bulletin outlining the flaw, Microsoft stated that an attacker who successfully exploited it might get a user’s Net-NTLMv2 hash and launch an NTLM Relay attack against another service in order to authenticate as the user.
By sending a specially constructed email that automatically activates when it is retrieved and processed by the email server, the company claimed an attacker might take advantage of this vulnerability. “This might result in exploitation BEFORE the email is read in the Preview Pane,” Redmond continued, pointing out that outside attackers could send specially constructed emails that would force a connection from the victim to an external UNC site under attackers’ control.
The company warned that this would reveal the victim’s Net-NTLMv2 hash to the attacker, who could then use it to authenticate as the victim on another service. However, Microsoft cautioned that a second vulnerability, CVE-2023-24880, needs immediate attention and that attackers are still actively evading its SmartScreen protection mechanism.
With Microsoft Edge and the Windows operating system equipped with SmartScreen technology to assist, the business has yet to be able to prevent attackers from working through its defenses against phishing and social engineering malware downloads. Microsoft made several attempts to address the problem after discovering that the infamous Magniber ransomware attack was using the SmartScreen bypass mechanism.
A zero-day flaw in the Adobe ColdFusion web app development platform has prompted “extremely limited attacks,” according to a separate urgent warning from the software company Adobe.
The alert from Adobe was included in a critical severity-level advisory that also included updates for ColdFusion 2021 and 2018. Adobe stated that it was aware of the fact that CVE-2023-26360 had been used in the wild in a very small number of ColdFusion-targeting attacks. The compromises found in the wild were not further described.
Microsoft Provided Several Additional Mitigation
Applying vendor patches as soon as they are obtainable and practical is always strongly advised for users. Microsoft has made a patch available as part of its March 2023 Monthly Security Update (more commonly known as “Patch Tuesday”).
Microsoft has also provided several additional mitigations that might be implemented in their security bulletin, however as with any changes of this nature, administrators should carefully assess the impact on other production applications and apply based on appropriate risk/reward analysis:
Users can turn off the WebClient service (however, note it will block all WebDAV connections, including intranet). Enrolling users in the Protected Users Security Group forbids the usage of NTLM as a method of authentication. It may have an effect on NTLM-dependent programs in your environment.
Use a local firewall, a perimeter firewall, and your VPN settings to block TCP 445/SMB traffic leaving your network. By doing this, NTLM authentication messages won’t be sent to distant file shares.
Conclusion
Security experts have publicly disclosed the Microsoft Outlook for Windows vulnerability (CVE-2023-23397), and it enables attackers to remotely capture hashed passwords by merely receiving an email. The security hole was patched by Microsoft yesterday. However, NTLM-relay attacks have been using it since at least mid-April 2022 as a zero-day issue.
All Windows versions of Microsoft Outlook are affected by the problem, which is a privilege escalation vulnerability with a 9.8 severity rating. As exploitation takes place when Outlook is open and the reminder is triggered on the machine, no user involvement is required. By just sending the target a malicious email, an attacker can utilize it to steal NTLM credentials.
Hashed login credentials are entered into Windows domains using the Windows New technology LAN Manager (NTLM) authentication technique. When a client tries to access a shared resource, the server receives password hashes from the client. Despite the recognized concerns, NTLM authentication is nevertheless employed on new systems to maintain compatibility with legacy systems.
