March’s Patch Tuesday appears to be similar to last month, with 80 total vulnerabilities being patched. In this, 9 vulnerabilities classed as critical have been patched along with 2 publicly disclosed and 2 exploited in the wild.
• Azure
• Internet Control Message Protocol (ICMP)
• Microsoft Dynamics
• Microsoft Edge
• Microsoft Office
• Microsoft OneDrive
• Microsoft Printer Drivers
• Office for Android
• Remote Access Service Point-to-Point Tunneling Protocol
• Role: DNS Server
• Role: Windows Hyper-V
• Visual Studio
• Windows Accounts Control
• Windows Cryptographic Services
• Windows Defender
• Windows Internet Key Exchange (IKE) Protocol
• Windows Kernel
• Windows Partition Management Driver
• Windows Point-to-Point Protocol over Ethernet (PPPoE)
• Windows Remote Procedure Call
• Windows Resilient File System (ReFS)
• Windows Secure Channel
• Windows SmartScreen
• Windows TPM
• Windows Win32K
Classified as critical and exploited in the wild, this vulnerability can be exploited by sending a specially crafted email to force a connection to a specific URL and transmit the Windows Account’s Net-NTLMv2 hash allowing an attacker to authenticate to services as the victim. Microsoft has reported that the vulnerability is triggered before the email is previewed as it is processed by the email server. This attack has been reported to be used by STRONTIUM, a state-sponsored Russian hacking group.
Attackers have exploited a vulnerability in Windows SmartScreen that would allow the creation of malicious executable files that would bypass Mark of the Web (MOTW) security. Consequently, this would remove future security defences relying on MOTW such as protected view. This has been reported to be used in Magniber ransomware operations by Google’s Threat Analysis Group.
This critical vulnerability would require a malicious certificate to be imported on an affected system. An attacker could upload a certificate to a service that processes or imports certificates, or an attacker could convince an authenticated user to import a certificate on their system, This would then allow for remote code execution. Microsoft has reported a low attack complexity and exploitation more likely.
CVE-2023-1017 would allow malicious TPM commands from a guest VM to a target running Hyper-V, an attacker can cause an out-of-bounds write in the root partition. CVE-2023-1018 is an out-of-bounds read vulnerability that exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM. Both these vulnerabilities are classified as critical.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
