Microsoft Zero-Day Bugs Allow Security Feature Bypass

IT teams should prioritize the patching of two zero-day vulnerabilities, one in Microsoft Outlook’s authentication mechanism and another that’s a Mark of the Web bypass, security experts said today. The two are part of a cache of 74 security bugs that Microsoft disclosed in its March Patch Tuesday security update.

In a blog post, researchers from Automox recommended that organizations patch both vulnerabilities within 24 hours since attackers are exploiting them in the wild. 

In addition, several of the critical flaws in the March update enable remote code execution (RCE), making them a high priority for patching as well. 

Vendors had slightly different takes on the total number of new critical vulnerabilities in Microsoft’s March update — likely because of differences in what they included in the count. Trend Micro’s Zero-Day Initiative (ZDI), for instance, identified six of the vulnerabilities in Microsoft’s March update as critical, while Tenable and Action1 pegged the number at nine.

Privilege Escalation Zero-Day

One of the zero-days is a critical privilege escalation vulnerability in Microsoft Outlook tracked as CVE-2023-23397, which allows an attacker to access the victim’s Net-NTLMv2 challenge-response authentication hash and then impersonate the user. 

What makes the bug dangerous is that an attacker could trigger it simply by sending a specially crafted email that Outlook retrieves and processes before the user even views it in the Preview Pane.

“This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email,” said Satnam Narang, senior staff research engineer at Tenable in an emailed comment. An attacker could use the victim’s Net-NLMv2 hash to conduct an attack that exploits the NTLM challenge-response mechanism and allows the adversary to authenticate as the user.

That makes the bug more of an authentication bypass vulnerability than an privilege escalation issue, added ZDI researcher Dustin Childs, in a blog post that summarized the most important flaws in Microsoft’s March Patch Tuesday update. Disabling the Preview Pane option will not mitigate the threat because the bug gets…