[ad_1]
Microsoft on Tuesday launched updates to quash at the least 74 safety bugs in its Windows working methods and software program. Two of these flaws are already being actively attacked, together with an particularly extreme weak spot in Microsoft Outlook that may be exploited with none consumer interplay.
The Outlook vulnerability (CVE-2023-23397) impacts all variations of Microsoft Outlook from 2013 to the most recent. Microsoft stated it has seen proof that attackers are exploiting this flaw, which could be accomplished with none consumer interplay by sending a booby-trapped e mail that triggers routinely when retrieved by the e-mail server — earlier than the e-mail is even considered within the Preview Pane.
While CVE-2023-23397 is labeled as an “Elevation of Privilege” vulnerability, that label doesn’t precisely replicate its severity, stated Kevin Breen, director of cyber menace analysis at Immersive Labs.
Known as an NTLM relay assault, it permits an attacker to get somebody’s NTLM hash [Windows account password] and use it in an assault generally known as “Pass The Hash.”
“The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password,” Breen stated. “This is on par with an attacker having a valid password with access to an organization’s systems.”
Security agency Rapid7 factors out that this bug impacts self-hosted variations of Outlook like Microsoft 365 Apps for Enterprise, however Microsoft-hosted on-line companies like Microsoft 365 are not weak.
The different zero-day flaw being actively exploited within the wild — CVE-2023-24880 — is a “Security Feature Bypass” in Windows SmartScreen, a part of Microsoft’s slate of endpoint safety instruments.
Patch administration vendor Action1 notes that the exploit for this bug is low in complexity and requires no particular privileges. But it does require some consumer interplay, and may’t be used to achieve entry to non-public data or privileges. However, the flaw can permit different malicious code to run with out being detected by SmartScreen popularity checks.
Dustin Childs, head of menace consciousness at Trend Micro’s Zero Day Initiative, stated CVE-2023-24880 permits attackers to create recordsdata that may bypass Mark of the Web (MOTW) defenses.
“Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen,” Childs stated.
Seven different vulnerabilities Microsoft patched this week earned its most-dire “critical” severity label, which means the updates deal with safety holes that may very well be exploited to offer the attacker full, distant management over a Windows host with little or no interplay from the consumer.
Also this week, Adobe launched eight patches addressing a whopping 105 safety holes throughout a wide range of merchandise, together with Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator.
For a extra granular rundown on the updates launched at present, see the SANS Internet Storm Center roundup. If at present’s updates trigger any stability or usability points in Windows, AskWoody.com will probably have the lowdown on that.
Please take into account backing up your information and/or imaging your system earlier than making use of any updates. And be happy to pontificate within the feedback in the event you expertise any issues on account of these patches.