March 2023 Patch Tuesday
Microsoft has resolved 80 new CVEs this month and expanded four previously released CVEs to include additional Windows versions. This brings the total number of CVEs addressed this month to 84. There are two confirmed zero-day exploits resolved in this month’s updates that impact Microsoft Office and Windows Smart Screen.
Both exploits are user targeted. There is a total of nine CVEs rated as Critical this month. Eight of the nine Critical CVEs are in the Windows OS update this month. Mozilla has released updates for Firefox and Firefox ESR resolving 13 unique CVEs.
Microsoft has resolved a Security Feature Bypass vulnerability in Windows SmartScreen (CVE-2023-24880). The vulnerability has been detected in exploits in the wild. According to Microsoft’s FAQ:
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.”
This CVE affects all currently supported versions of the Windows OS. The CVSSv3.1 score is only 5.4, which may avoid notice by many organizations and on its own this CVE may not be all that threatening, but it was likely used in an attack chain with additional exploits. Prioritizing this month’s OS update would reduce the risk to your organization.
Microsoft has resolved an Elevation of Privilege vulnerability in Microsoft 365 Apps and Microsoft Office (CVE-2023-23397). The vulnerability has been detected in exploits in the wild. The vulnerability has a CVSSv3.1 of 9.8 and is rated as Critical by Microsoft. According to Microsoft’s FAQ:
“The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the email server. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”
There are additional mitigations included in the CVE page to mitigate some of the risk for this vulnerability. There is also additional documentation for mitigating Pass-the-Hash attacks that is recommended by Microsoft to work along with the security update to provide a more effective defense. Microsoft Office and Microsoft 365 Apps should be a priority this month to reduce risk to your organization.
Microsoft updated four CVEs this month to expand the impacted software / applications. CVE-2022-43552, CVE-2022-23257, CVE-2022-23825 and CVE-2022-23816 all have added additional versions of Windows OS to the affected products list.
Remediation priorities this month:
- Microsoft Office and Microsoft 365 Apps are the top priority. CVE-2023-23397 is able to be exploited before the message is even viewable in the preview pane. Also, look into the additional mitigations recommended in the CVE documentation.
- Microsoft Windows should be updated soon if possible. CVE-2023-24880 has been exploited and could be used against your organization.
- Ensure all of your browsers are up to date. Mozilla just released updates. Google Chrome and Microsoft Edge (Chromium) have had updates since February. Make sure all of your browsers are up to date.