Two bugs on Patch Tuesday should be fixed immediately

News Summary:

  • The vulnerability affects all supported versions of Outlook for Windows and allows attackers to steal Net-NTLMv2 hashes, and then use them in LAN Manager New Technology forwarding attacks ( NTLM) against other systems. The second allows attackers to bypass Microsoft SmartScreen, a technology built into Windows, to perform checks on files downloaded from the Internet through the browser.

  • Microsoft released a monthly security bulletin this week, which includes fixes for more than 80 vulnerabilities in its products. However, two of them were used by attackers before patches were released.

The Outlook vulnerability, identified as CVE-2023-23397, is described by Microsoft as enhanced privilege and rated critical (9.8/10 on the CVSS scale). Unlike remote code execution vulnerabilities, EoP vulnerabilities are rarely serious because they usually cannot be exploited remotely and attackers must have lower privileges on the system.

Specifically, an attacker will generate a message using an extended Messaging Application Programming Interface (MAPI) property that contains a UNC path to a remote SMB share (TCP 445) hosted on a server owned by the attacker. control work. Server Message Block (SMB) is a file, network, and printer sharing protocol widely used in Windows networks that also supports inter-process communication. The authentication used with SMB is NTLM, and whenever a Windows computer tries to access a remote resource via SMB, it sends its NTLM hash, a cryptographic representation of its credentials closed. NTLM hash theft allows a type of attack known as NTLM forwarding or hash transfer, in which an attacker tricks a computer into sending its hash, which then passes it on to another legitimate service that will accept it. that authentication.

However, this vulnerability can be exploited by remote attackers without much effort. According to Microsoft’s description, “An attacker could exploit this vulnerability by sending a specially crafted email that is automatically activated when retrieved and processed by the Outlook client.” Worse still, the user doesn’t need to open, click, or preview the email – it just needs to be received, because the flaw is in Outlook’s code to handle it on arrival.