Microsoft released its March 2023 Patch Tuesday updates today, fixing two actively exploited zero-day vulnerabilities and a total of 83 flaws. Nine of the vulnerabilities have been classified as 'Critical', allowing remote code execution, denial of service, or elevation of privileges attacks. The two zero-day vulnerabilities fixed in today's updates are CVE-2023-23397 and CVE-2023-24880.
CVE-2023-23397 is a Microsoft Outlook privilege elevation bug that allows specially crafted emails to force a target's device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash. According to Microsoft, "External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim."
CVE-2023-24880 is a Windows SmartScreen security feature bypass vulnerability that was previously exploited to distribute and install malware. As Microsoft explains, "An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging."
Other vendors who released updates in March 2023 include Adobe, Apple, Google, and Oracle. Microsoft's full report on the March 2023 Patch Tuesday updates can be found here.