Patch Tuesday March 2023: Outlook Zero-Day and Challenges for Legacy Apps Due to DCOM Hardening   

Microsoft has addressed 83 flaws this Patch Tuesday, two of which are actively exploited zero-day vulnerabilities involving Microsoft Outlook and Mark of the Web (MOTW) evasion. However, there may be larger headaches looming for system admins and helpdesks due to the new DCOM hardening measures that were finalized as part of this Microsoft Patch Tuesday.

Microsoft Vulnerabilities

Of the 83 vulnerabilities addressed this month by Microsoft, nine are Critical and there are two zero-days under active exploitation. The zero-day vulnerabilities for this month are both notable and require the immediate attention of MSPs and sysadmins. CVE-2023-23397 and CVE-2023-24880 are going to affect a large number of environments as they involve Microsoft Outlook and Windows SmartScreen, which are almost ubiquitous in modern businesses.

CVE-2023-24880 allows an attacker to evade the MOTW defense, allowing evasion of Windows SmartScreen and potentially leading to the execution of malicious payloads. While it is under active exploitation it’s lower CVSS of 5.4 and the use of a good endpoint protection solution should keep this from causing widespread havoc.

Meanwhile, CVE-2023-23397 is a Microsoft Outlook elevation of privilege vulnerability carrying a CVSS score of 9.8. It allows an attacker to use “specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim”.

This means an attacker can record the valid credentials of a user simply by sending an email that is downloaded by Outlook, regardless of whether the user views the email or not, forcing Outlook to authenticate to an SMB share controlled by the attacker. Results of this attack can range from lateral movement within an environment, to anything else that a valid set of credentials could allow an attacker to do. The more privileged the user targeted, the greater the potential damage that can be done.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Find out more

CVE-2023-23397 Hunting, Remediation and Mitigations

Microsoft has also provided additional information on remediation, mitigations, and hunting for any Exchange users that may have been targeted by this attack. Microsoft is advising additional mitigations be applied along with standard security updates. These include adding users to the Protected Users Security Group (which might have an impact on any applications using NTLM authentication), and blocking TCP 445 outbound on endpoint and perimeter firewalls along with blocking on VPNs.

Microsoft has also provided a PowerShell script that can be run against an Exchange Server to discover any email, calendar, or task item that has a property populated with a UNC path. This can indicate potentially targeted accounts and it would be a good idea to investigate activity associated with those accounts, rotate the password, and enable MFA if not already enabled.

DCOM Hardening

Distributed Component Object Model (DCOM) has been a core component of how many applications (including line of business software) operate over networks for well over 20 years. This means that legacy software may be impacted by KB5004442 now forcing DCOM servers to use more robust authentication with no option to revert to less secure options. This is another great example of how the need for more resilient and secure operations forces improvements that some businesses may see as an unnecessary headache or expense. The reality is they are really just the cost of doing business in a modern, ever-connected global economy.

Related Product

N‑sight RMM

Inizia a utilizzare rapidamente la soluzione RMM progettata per MSP e reparti IT di piccole dimensioni.

Find out more

Microsoft Patch Tuesday Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.

Table Key: Severity: C = Critical, I = Important, M = Moderate; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected 

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd