Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Exchange vulnerabilities disclosed by ZDI

Microsoft on Tuesday delivered a hefty batch of software security updates and issued warnings for a pair of already-exploited zero-days haunting Windows OS users.

The Redmond, Wash. software giant pushed out fixes for at least 80 Windows flaws and called special attention to CVE-2023-23397, a critical-severity issue in Microsoft Outlook that has been exploited in zero-day attacks.

As has become customary, Microsoft’s security response center did not provide details or indicators of compromise (IOCs) to help defenders hunt for signs of compromise. 

UPDATE (3/15): Microsoft has blamed this exploitation on a Russian threat actor and released a detection script to help defenders hunt for signs of infection.

The company credited the Ukrainian CERT organization and its own MSTI threat intelligence team for the discovery, suggesting it was being exploited in advanced APT attacks in Europe.

“An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user,” Microsoft said in a barebones bulletin documenting the bug.

The company said an attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the email server. 

“This could lead to exploitation BEFORE the email is viewed in the Preview Pane,” Redmond added, noting that external attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. 

Advertisement. Scroll to continue reading.

“This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim,” the company warned.

Microsoft also flagged a second vulnerability — CVE-2023-24880  — for urgent attention and warned attackers are continuing to actively bypass its SmartScreen security feature.

The company has struggled to contain attackers bypassing the SmartScreen technology that has been fitted into Microsoft Edge and the Windows operating system to help protect users from phishing and social engineering malware downloads.

The notorious Magniber ransomware operation has been observed exploiting the SmartScreen bypass technique, prompting multiple attempts by Microsoft to mitigate the issue. 

Separately, software maker Adobe also issued an urgent warning about “very limited attacks” exploiting a zero-day vulnerability in its Adobe ColdFusion web app development platform.

Adobe’s warning was embedded in a critical-severity level advisory that contains patches for ColdFusion versions 2021 and 2018.  “Adobe is aware that CVE-2023-26360 has been exploited in-the-wild in very limited attacks targeting Adobe ColdFusion,” the company said.  No other details on the in-the-wild compromises were provided. 

Related: Microsoft Patches MotW Zero-Day Exploited for Malware Delivery

Related: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks

Related: Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day

Related: Microsoft OneNote Abuse for Malware Delivery Surges

Related Content

Artificial Intelligence

Microsoft threat hunters say foreign APTs are interacting with OpenAI’s ChatGPT to automate malicious vulnerability research, target reconnaissance and malware creation tasks.

Data Breaches

A Russian government-backed hacking team broke into Microsoft’s corporate network and stole emails and attachments from senior executives.

Malware & Threats

Microsoft says an APT with links to Iran’s military intelligence is impersonating a prominent journalist in clever spear-phishing attacks.

Network Security

Quarkslab finds serious, remotely exploitable vulnerabilities in EDK II, the de-facto open source reference implementation of the UEFI spec.

Cloud Security

Microsoft said that it is upgrading its cloud computing service to let customers store all personal data within the European Union.

Network Security

Patch Tuesday: Redmond patches critical, remote code execution vulnerabilities haunting Windows Kerberos and Windows Hyper-V.

Cloud Security

Isovalent raised about 70 million in funding from prominent investors including Microsoft's venture fund, Google, and Andreessen Horowitz.

Malware & Threats

Akamai researchers document more vulnerabilities and patch bypasses leading to zero-click remote code execution in Microsoft Outlook.

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version