Microsoft Zero-Day Bugs Allow Security Feature Bypass

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Zero-Day Bugs Allow Security Feature Bypass


Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.



IT teams should prioritize the patching of two zero-day vulnerabilities, one in Microsoft Outlooks authentication mechanism and another thats a Mark of the Web bypass, security experts said today. The two are part of a cache of 74 security bugs that Microsoft disclosed in its March Patch Tuesday security update.
In a blog post, researchers from Automox recommended that
organizations patch both vulnerabilities within 24 hours
since attackers are exploiting them in the wild. 
In addition, several of the critical flaws in the March update enable remote code execution (RCE), making them a high priority for patching as well. 
Vendors had slightly different takes on the total number of new critical vulnerabilities in
Microsofts March update
— likely because of differences in what they included in the count. Trend Micros Zero-Day Initiative (ZDI), for instance, identified six of the vulnerabilities in Microsofts March update as critical, while Tenable and Action1 pegged the number at nine.
One of the zero-days is a critical privilege escalation vulnerability in Microsoft Outlook tracked as
CVE-2023-23397
, which allows an attacker to access the victims Net-NTLMv2 challenge-response authentication hash and then impersonate the user. 
What makes the bug dangerous is that an attacker could trigger it simply by sending a specially crafted email that Outlook retrieves and processes before the user even views it in the Preview Pane.
This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email, said Satnam Narang, senior staff research engineer at Tenable in an emailed comment. An attacker could use the victims Net-NLMv2 hash to conduct an attack that exploits the NTLM challenge-response mechanism and allows the adversary to authenticate as the user.
That makes the bug more of an authentication bypass vulnerability than an privilege escalation issue, added ZDI researcher Dustin Childs, in a blog post that summarized the
most important flaws in Microsofts March Patch Tuesday update
. Disabling the Preview Pane option will not mitigate the threat because the bug gets triggered even before that, he wrote.
Microsoft attributed the bugs discovery to researchers from Ukraines Computer Emergency Response Team (CERT) as well as one of its own researchers.
Organizations that cannot patch CVE-2023-23397 immediately should consider implementing Microsofts mitigation for the flaw, which prevents the use of NTLM as an authentication mechanism, Automox said.
Microsoft identified the second zero-day bug as
CVE-2023-24880
, a Windows SmartScreen security feature bypass issue than at attacker could use to bypass the
Mark of the Web designation
that Microsoft uses to identify files that a user might download from the Internet. 
The feature is designed to warn users about potentially unsafe content. CVE-2023-24880 affects all desktop systems running Windows 10 and above and systems running Windows Server 2016, 2019, and 2022.
Chris Goettl, vice president of security products at Ivanti, cautioned administrators not to be lulled into a sense of false security by Microsofts relatively low severity rating for the flaw. 
The CVSSv3.1 score is only 5.4, which may avoid notice by many organizations, Goettl said in a statement. On its own, the CVE may not be all that threatening, but it was likely used in an attack chain with additional exploits, he warned.
One of the RCE flaws to make a special note of is
CVE-2023-23415
, which exists in the Internet Control Message Protocol (ICMP) that network devices use to diagnose communications issues. 
An attacker can remotely exploit this vulnerability through the use of a low-level protocol error containing a fragmented IP packet in its header that is sent to the target machine, Microsoft said. The vulnerability affects multiple Microsoft products, including Windows 10, Windows 11, Windows Server 2008, 2012, 2016, 2019, and 2022.
ZDI, Automox, and Action1 also all identified a RCE vulnerability with a near maximum severity of 9.8 on the CVSS scale in the HTTP Protocol Stack as another issue that organizations might want to prioritize. 
The vulnerability (
CVE-2023-23392
) allows an unauthenticated attacker to send a specially crafted packet to a server that uses the HTTP Protocol Stack leading to RCE. The vulnerability affects Windows Server 2022 and Windows 11, and has a low-complexity attack vector that requires no privileges or user interaction, Action1 warned. Because of this, Microsoft has assessed the vulnerability as one that threat actors are more likely to exploit than other flaws.
Automox also recommended that organizations address
CVE-2023-23416
, a RCE bug in the Windows Cryptographic Services protocol, within 72 hours. Thats because, among other things, it affects all versions of desktops Windows 10 and above, and all Windows server editions from Server 2012 on.
In addition to patches for new vulnerabilities, Microsoft also issued updates for four older flaws — all from 2022 — in its March patch cycle. The update expands the number of Microsoft software and applications affected by the vulnerabilities and provides a patch for them, Ivanti said. The security vendor identified the four updated patches as
CVE-2022-43552
,
CVE-2022-23257
,
CVE-2022-23825
, and
CVE-2022-23816
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security

▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security

▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Zero-Day Bugs Allow Security Feature Bypass