{"id":21472,"date":"2023-03-14T13:20:55","date_gmt":"2023-03-14T21:20:55","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/03\/14\/news-15203\/"},"modified":"2023-03-14T13:20:55","modified_gmt":"2023-03-14T21:20:55","slug":"news-15203","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/03\/14\/news-15203\/","title":{"rendered":"A little something for everyone on a patchwork Patch Tuesday"},"content":{"rendered":"<p><strong>Credit to Author: Angela Gunn| Date: Tue, 14 Mar 2023 18:58:33 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Microsoft on Tuesday released patches for 73 vulnerabilities in ten product families, including 6 Critical-severity issues in Windows. As is the custom, the largest number of addressed vulnerabilities affect Windows, with 54 CVEs. Dynamics follows with 6 CVEs; followed by Office (4), Azure and SharePoint (2 each), and MMPE (1). In an unusually wide-ranging month, there are also patches for other platforms entirely \u2013 Android (3), iOS (1), and macOS (1).<\/p>\n<p>At patch time, just one of the issues this month has been publicly disclosed, and only two appear to be under exploit in the wild: CVE-2023-23397, an Important-severity spoofing issue in Outlook, and CVE-2023-24880, a Moderate-severity security feature bypass in Windows SmartScreen. However, Microsoft cautions that seven of the issues addressed are more likely to be exploited in either the latest or earlier versions of the affected product soon (that is, within the next 30 days).<\/p>\n<p>And surprises happen, after all: Microsoft is currently contending with not one but two publicly revealed proofs of concept for recently patched issues &#8212; <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/01\/10\/january-2023-patch-roundup\/\">January\u2019s<\/a> CVE-2023-21768 and <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/02\/14\/a-diverse-set-of-fixes-in-februarys-patch-tuesday-release\/\">February\u2019s<\/a> CVE-2023-21716 \u2013 the latter of which was dubbed \u201cless likely\u201d to be exploited soon when the patch was released just 28 days ago.<\/p>\n<p>By the numbers<\/p>\n<ul>\n<li>Total Microsoft CVEs: 73<\/li>\n<li>Total advisories shipping in update: 0<\/li>\n<li>Publicly disclosed: 1<\/li>\n<li>Exploited: 2<\/li>\n<li>Exploitation more likely in latest version: 6<\/li>\n<li>Exploitation more likely in older versions: 1<\/li>\n<li>Severity\n<ul>\n<li>Critical: 6<\/li>\n<li>Important: 66<\/li>\n<li>Moderate: 1<\/li>\n<\/ul>\n<\/li>\n<li>Impact\n<ul>\n<li>Remote Code Execution: 24<\/li>\n<li>Elevation of Privilege: 17<\/li>\n<li>Information Disclosure: 15<\/li>\n<li>Spoofing: 10<\/li>\n<li>Denial of Service: 4<\/li>\n<li>Security Feature Bypass: 3<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-01.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-90482\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-01.png\" alt=\"A bar chart showing impact and severity for March 2023 patches, as covered in the text.\" width=\"640\" height=\"425\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-01.png 847w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-01.png?resize=300,199 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-01.png?resize=768,510 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 1: As it did last month, remote code execution issues make up the largest portion of March 2023\u2019s patches from Microsoft<\/em><\/p>\n<p>Products<\/p>\n<ul>\n<li>Windows: 54<\/li>\n<li>Dynamics: 6<\/li>\n<li>Office: 4 (one shared with SharePoint)<\/li>\n<li>Azure: 2<\/li>\n<li>SharePoint: 2 (one shared with Office)<\/li>\n<li>OneDrive for Android: 2<\/li>\n<li>MMPE: 1<\/li>\n<li>OneDrive for iOS: 1<\/li>\n<li>OneDrive for macOS: 1<\/li>\n<li>Outlook for Android: 1<\/li>\n<\/ul>\n<p>This month\u2019s release also included information on four Important-severity GitHub CVEs affecting Visual Studio. Microsoft provided information on the four (CVE-2023-22490, CVE-2023-22743, CVE-2023-23618, and CVE-2023-23946) mainly to reassure administrators that the latest builds of Visual Studio are no longer susceptible to those issues. These four CVEs are not reflected in the monthly statistics. Neither is the sole Edge patch this month (CVE-2023-24892), which addresses an Important-class spoofing issue; nor are two other issues (CVE-2023-1017, CVE-2023-1018) believed to be related to a vendor-specific implementation of TPM.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-90483\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-1.png\" alt=\"A bar chart showing the product families affected by March's patches, as covered in text.\" width=\"640\" height=\"420\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-1.png 834w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-1.png?resize=300,197 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-1.png?resize=768,504 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 2: Windows patches make up two-thirds of the March 2023 load, including all of the Critical-class issues<\/em><\/p>\n<p><strong>Notable March updates<\/strong><\/p>\n<p><strong>CVE-2023-23397 \u2013 Microsoft Outlook Spoofing Vulnerability<\/strong><\/p>\n<p>This issue, which has a 9.1 CVSS base score despite being classified by Microsoft as Important-severity, is one of the two for which exploitation has already been detected. To exploit this vulnerability, an attacker would send a maliciously crafted email that would create a connection from the victim to an external UNC location under the attacker\u2019s control. This connection would leak the Net-NTLMv2 hash of the victim to the attacker, who could then relay this hash to another service and thus authenticate as the victim. Unfortunately, no user interaction is required to cause this. In fact, a skilled attacker could send an email that triggers the vulnerability when it is retrieved and processed by the email server \u2013 in other words, even before it reaches the Preview Pane, let alone is opened.<\/p>\n<p><strong>CVE-2023-24880 \u2013 Windows SmartScreen Security Feature Bypass Vulnerability<\/strong><\/p>\n<p>The other issue in March\u2019s patch collection for which exploitation has been detected (and the only one publicly disclosed), this is a Moderate-class issue in SmartScreen. A defender looking to evade SmartScreen\u2019s reputation checks could craft a file that evades <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/10\/12\/are-threat-actors-turning-to-archives-and-disk-images-as-macro-usage-dwindles\/\">Mark of the Web<\/a> (MotW) tagging defenses, allowing an image originating from the Internet to be treated as trusted.<\/p>\n<p><strong>CVE-2023-23411 \u2013 Windows Hyper-V Denial of Service Vulnerability<\/strong><\/p>\n<p>Another no-user-interaction-required issue, though fortunately this Critical-class Hyper-V issue requires attackers to achieve a local attack vector for success. Once accomplished, though, total loss of host availability is at hand.<\/p>\n<p><strong>CVE-2023-23392 \u2013 HTTP Protocol Stack Remote Code Execution Vulnerability<\/strong><\/p>\n<p>One of the issues Microsoft believes to be more likely to be exploited within 30 days of patch release, this Critical-class RCE is remotely exploitable and requires no user interaction or system privileges. A successful attacker would exploit this by sending a maliciously crafted packet to a targeted server that uses the http.sys (the HTTP Protocol Stack) to process packets. Interestingly, this issue affects only the latest versions of the operating system (Windows 11, Windows Server 2022).<\/p>\n<p><strong>CVE-2023-23403, CVE-2023-23406, CVE-2023-23413, CVE-2023-24856, CVE-2023-24857, CVE-2023-24858, CVE-2023-24863, CVE-2023-24864, CVE-2023-24865, CVE-2023-24866, CVE-2023-24867, CVE-2023-24868, CVE-2023-24870, CVE-2023-24872, CVE-2023-24876, CVE-2023-24906, CVE-2023-24907, CVE-2023-24909, CVE-2023-24911, and CVE-2023-24913 (various titles)<\/strong><\/p>\n<p>What do these twenty patches have in common? PostScript. All twenty of these involve PostScript printer drivers, and one (CVE-2023-23403) touches PCL Class 6 printer drivers as well. Nine vulnerabilities can lead to remote code execution, with 10 allowing information disclosure and one permitting elevation of privilege. Microsoft rates the severity of all 20 as Important, but their CVSS base scores range from a medium-level 5.4 information disclosure (CVE-2023-24857) to two RCEs weighing in at a concerning 9.8 (CVE-2023-23406, CVE-2023-24867). Another issue, CVE-2023-24876, is deemed to be more likely to see exploitation in the next thirty days. Remarkably, just four researchers are responsible for all these finds: Zhiniang (Edward) Peng, Zesen Ye, kap0k, and (from Microsoft\u2019s own MSRC team) Adel.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-90484\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-1.png\" alt=\"A bar chart showing cumulative patches for 2023, sorted by impact.\" width=\"640\" height=\"420\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-1.png 842w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-1.png?resize=300,197 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-1.png?resize=768,503 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 3: As the year goes on, remote code execution flaws account for the largest number of patches overall and the largest number of critical-severity patches so far. Note that the total number of spoofing vulnerabilities addressed in 2023 doubles with this month\u2019s release<\/em><\/p>\n<p><strong>Sophos protections<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>For CVE-2023-23416, the signatures for both Sophos Intercept X\/Endpoint IPS and Sophos XGS Firewall are silent detections (monitoring telemetry).<\/p>\n<p>As you can every month, if you don\u2019t want to wait for your system to pull down Microsoft\u2019s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you\u2019re running, then download the Cumulative Update package for your specific system\u2019s architecture and build number.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/03\/14\/march-2023-patch-tuesday\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/shutterstock_719923828.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Tue, 14 Mar 2023 18:58:33 +0000<\/strong><\/p>\n<p>Even MacOS, iOS, and Android get a piece of the pie in March<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[28847,28848,28849,28850,28638,25828,10516,10909,3495,19245,28641,16771],"class_list":["post-21472","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-cve-2023-23392","tag-cve-2023-23397","tag-cve-2023-23411","tag-cve-2023-24880","tag-dynamics","tag-mark-of-the-web","tag-microsoft","tag-microsoft-office","tag-microsoft-windows","tag-patch-tuesday","tag-postscript","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21472"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21472\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21472"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}