On Tuesday, Microsoft issued updates to address at least 74 security vulnerabilities in its Windows operating systems and software. Among these, two flaws are already being actively exploited, with one particularly severe vulnerability found in Microsoft Outlook that can be exploited without any user involvement.
The Outlook vulnerability (CVE-2023-23397) affects all Microsoft Outlook versions from 2013 to the latest release. Microsoft confirmed that attackers are exploiting this weakness, which can be accomplished without user interaction by sending a malicious email that activates automatically upon retrieval by the email server—even before being viewed in the Preview Pane.
Although CVE-2023-23397 is classified as an “Elevation of Privilege” vulnerability, its severity is not accurately conveyed by this label, according to Kevin Breen, director of cyber threat research at Immersive Labs. Known as an NTLM relay attack, it enables an attacker to obtain an individual’s NTLM hash (Windows account password) and use it in a “Pass The Hash” attack.
Breen explained that the vulnerability effectively allows the attacker to authenticate as a trusted person without needing to know their password, which is equivalent to the attacker having valid credentials with access to an organization’s systems.
Rapid7, a security firm, highlights that this bug affects self-hosted Outlook versions like Microsoft 365 Apps for Enterprise, but not Microsoft-hosted online services such as Microsoft 365.
The other actively exploited zero-day flaw, CVE-2023-24880, is a “Security Feature Bypass” in Windows SmartScreen, which is part of Microsoft’s endpoint protection tools suite. Patch management provider Action1 notes that the exploit for this bug is low in complexity and does not require special privileges. However, it does necessitate some user interaction and cannot be used to access private information or privileges. The flaw can enable other malicious code to execute without being detected by SmartScreen reputation checks.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said CVE-2023-24880 allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. He explained that protective measures like SmartScreen and Protected View in Microsoft Office depend on MOTW, so bypassing these defenses makes it easier for threat actors to disseminate malware through malicious documents and other infected files that would otherwise be stopped by SmartScreen.
This week, Microsoft also patched seven other vulnerabilities that were given its highest “critical” severity rating. These updates address security gaps that could be exploited to provide an attacker with full, remote control over a Windows host with minimal or no user interaction.
Additionally, Adobe released eight patches this week to fix 105 security vulnerabilities across various products, including Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator.