Microsoft March 2023 Patch Tuesday Fixes 2 Zero-Days, 83 Flaws

March 14, 2023

Microsoft released its March 2023 Patch Tuesday updates today, fixing two actively exploited zero-day vulnerabilities and a total of 83 flaws. Nine of the vulnerabilities have been classified as 'Critical', allowing remote code execution, denial of service, or elevation of privileges attacks. The two zero-day vulnerabilities fixed in today's updates are CVE-2023-23397 and CVE-2023-24880.

CVE-2023-23397 is a Microsoft Outlook privilege elevation bug that allows specially crafted emails to force a target's device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash. According to Microsoft, "External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim."

CVE-2023-24880 is a Windows SmartScreen security feature bypass vulnerability that was previously exploited to distribute and install malware. As Microsoft explains, "An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging."

Other vendors who released updates in March 2023 include Adobe, Apple, Google, and Oracle. Microsoft's full report on the March 2023 Patch Tuesday updates can be found here.

Latest News

• Microsoft Patches Outlook Zero-Day Exploited by Russian Hackers
• Microsoft Patches Windows Zero-Day Exploited in Ransomware Attacks
• Adobe Warns of Zero-Day Exploits in ColdFusion
• Fortinet Patches High-Severity FortiOS Bug Used in Zero-Day Attacks
• BlackLotus Secure Boot Bypass Malware Set to Ramp Up