Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns

Microsoft on Tuesday delivered a hefty batch of software security updates and issued warnings for a pair of already-exploited zero-days haunting Windows OS users.

The Redmond, Wash. software giant pushed out fixes for at least 80 Windows flaws and called special attention to CVE-2023-23397, a critical-severity issue in Microsoft Outlook that has been exploited in zero-day attacks.

As has become customary, Microsoft’s security response center did not provide details or indicators of compromise (IOCs) to help defenders hunt for signs of compromise. 

UPDATE (3/15): Microsoft has blamed this exploitation on a Russian threat actor and released a detection script to help defenders hunt for signs of infection.

The company credited the Ukrainian CERT organization and its own MSTI threat intelligence team for the discovery, suggesting it was being exploited in advanced APT attacks in Europe.

“An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user,” Microsoft said in a barebones bulletin documenting the bug.

The company said an attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the email server. 

“This could lead to exploitation BEFORE the email is viewed in the Preview Pane,” Redmond added, noting that external attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. 

“This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim,” the company warned.

Microsoft also flagged a second vulnerability — CVE-2023-24880  — for urgent attention and warned attackers are continuing to actively bypass its SmartScreen security feature.

The company has struggled to contain attackers bypassing the SmartScreen technology that has been fitted into Microsoft Edge and the Windows operating system to help protect users from phishing and social engineering malware downloads.

The notorious Magniber ransomware operation has been observed exploiting the SmartScreen bypass technique, prompting multiple attempts by Microsoft to mitigate the issue. 

Separately, software maker Adobe also issued an urgent warning about “very limited attacks” exploiting a zero-day vulnerability in its Adobe ColdFusion web app development platform.

Adobe’s warning was embedded in a critical-severity level advisory that contains patches for ColdFusion versions 2021 and 2018.  “Adobe is aware that CVE-2023-26360 has been exploited in-the-wild in very limited attacks targeting Adobe ColdFusion,” the company said.  No other details on the in-the-wild compromises were provided. 

Related: Microsoft Patches MotW Zero-Day Exploited for Malware Delivery

Related: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks

Related: Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day

Related: Microsoft OneNote Abuse for Malware Delivery Surges