This year’s February was exactly four weeks long, thus the coincidence of Firefox and Microsoft upgrades from the previous month has happened once more. Microsoft had to cope with three zero-days last month, or security flaws that were discovered first by hackers and exploited in actual attacks before any updates were made available.
(The term “zero-day,” often known as “0-day,” serves as a reminder that even the most forward-thinking and vigilant patchers among us enjoyed exactly zero days during which we could have been one step ahead of the criminals.) Two zero-day updates, one for Outlook and the other for Windows SmartScreen, are available in March 2023.
It’s interesting to note that the Outlook flaw is jointly credited to CERT-UA (the Ukrainian Computer Emergency Response Team), Microsoft Incident Response, and Microsoft Threat Intelligence for being a bug that was found in the wild, despite being reported rather blandly by Microsoft as Exploitation Detected.
The following is a description of the bug known as CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability (EoP):
By sending a specifically written email that automatically activates when it is downloaded and processed by the Outlook client, the attacker might take advantage of this vulnerability. The email could then be exploited BEFORE being seen in the Preview Pane as a result of this.
By exploiting this flaw, an attacker might acquire access to a user’s Net-NTLMv2 hash, which could then be used as the foundation for an NTLM Relay attack against another service to authenticate as the user.
In order to connect the victim to an outside UNC site under their control, external attackers may send specially prepared emails. The attacker will be given access to the victim’s Net-NTLMv2 hash as a result.
In reality, there’s quite a bit more to it than that since there are two keyed hashes, one combining the two 8-byte random challenge numbers and the other including other information like your login, domain name, and current time. But the fundamental idea remains the same. Your password cannot leak in transit since it is never transferred and is never hashed and saved, such as in Active Directory.
Also, each time, both parties receive the opportunity to inject 8 bytes of their own randomness, preventing any party from secretly using an earlier challenge string in an effort to obtain the same keyed hash as in a prior session. The thieves may be able to mislead the legitimate server they’re trying to infiltrate into accepting them as if they were you if you compute the keyed hash and submit it back as your “evidence I know my own password right now.” By doing this.
In other words, even though the attack involves a lot of tries, time, and luck and isn’t very likely to succeed, you should absolutely patch against it because we already know that it’s an instance of “Exploitation Detected”. In other words, the attack may be engineered to succeed and already has against a victim who was not expecting it and did nothing unsafe or improper.
Because of this flaw, some outside-sourced files, like as downloads or email attachments, fail to receive the proper MotW identifier and evade Microsoft’s official security checks. The Microsoft public bulletin is vague on which specific file kinds (images? Office records? PDFs? This method can be used to breach your network, however it does warn that “security features like Protected View in Microsoft Office” can be gotten over using this strategy.
We assume that this means dangerous files that are typically rendered harmless, such as by having built-in macro code silenced, may be able to unexpectedly come to life when viewed or accessed.