And, as you know, it’s the second Tuesday of the month, which means that Windows users are looking towards the tech giant in hopes that some of the flaws they’ve been struggling with will finally get fixed. We have already taken the liberty of providing the direct download links for the cumulative updates released today for Windows 7, 8.1, 10, and 11, but now it’s time to talk CVEs again. For March, Microsoft released 74 new patches, one less than last month, which is still more than some people were expecting for the third month of 2023. These software updates address CVEs in:

Windows and Windows components Office and Office Components Exchange Server .NET Core and Visual Studio Code 3D Builder and Print 3D Microsoft Azure and Dynamics 365 Defender for IoT and the Malware Protection Engine Microsoft Edge (Chromium-based)

You probably want to know more on the matter, so let’s dive right into it and see what all the fuss is about this month.

74 new patches released to fix serious security issues

Let’s just say that February was far from being a busy month for Microsoft, and still, they managed to release a total of 75 updates. However, it seems that the situation isn’t getting any better, since the tech giant released only one less update this month, for a total of 74. Please keep in mind that, out of all the patches released today, six are rated Critical, 67 are rated Important, and only one is rated Moderate in severity. Furthermore, remember that this is one of the largest volumes we’ve seen from Microsoft for a March release in quite some time. We have to say that it is a bit unusual to see half of the Patch Tuesday release address remote code execution (RCE) bugs. It’s important to be aware that two of the new CVEs are listed as under active attack at the time of release with one of those also being listed as publicly known. That being said, let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack. Let’s look at CVE-2023-23397 for one second. Even though technically a spoofing bug, experts consider the result of this vulnerability to be an authentication bypass. SPONSORED Thus, it allows a remote, unauthenticated attacker to access a user’s Net-NTLMv2 hash just by sending a specially crafted e-mail to an affected system. CVE-2023-23392 could actually allow a remote, unauthenticated attacker to execute code at system level without user interaction. Know that combination makes this bug wormable, at least through systems that meet the target requirements, and the target system needs to have HTTP/3 enabled and set to use buffered I/O. There’s a CVSS 9.8 bug in RPC Runtime that also has some wormable potential. That being said, unlike ICMP, it is a good idea to block RPC traffic (specifically TCP port 135) at the perimeter. Also, there’s a fair amount of Elevation of Privilege (EoP) bugs receiving patches this month, and the majority of these require the attacker to execute their code on a target to escalate privileges. Moving on to the information disclosure vulnerabilities receiving patches this month, the vast majority simply result in info leaks consisting of unspecified memory contents. However, there are a couple of exceptions. The bug in Microsoft Dynamics 365 could leak a verbose error message that attackers could use to create malicious payloads. And, the two bugs in OneDrive for Android could leak certain Android/local URIs that OneDrive can access. Once again, you will most likely need to get this patch from the Google Play store if you haven’t configured automatic app updates. We have to point out that there are three additional DoS fixes released this month. There’s no additional info about the patches for Windows Secure Channel or the Internet Key Exchange (IKE) Extension. On that note, we can expect a successful exploit of these bugs to interfere with authentication processes, so make sure you keep that in mind at all times. Feel free to check each individual CVE and find out more about what it means, how it manifests, and what scenarios can malicious third parties use to exploit them. Have you found any other issues after installing this month’s security updates? Share your experience with us in the comments section below.

Name * Email * Commenting as . Not you? Save information for future comments
Comment

Δ