A federal cybersecurity agency this week advised users and administrators to update Microsoft Windows due to “multiple vulnerabilities” that can allow “an attacker can exploit some of these vulnerabilities to take control of an affected system.”
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency wrote on March 14 that it “encourages users and administrators to review Microsoft’s March 2023 Security Update Guide” for necessary updates. Microsoft’s patch, issued Tuesday, was rolled out to deal with about 80 security flaws in the Windows operating system, two of which are being actively exploited.
Eight of the 80 vulnerabilities are rated as critical, while 71 are rated important. Two of those eight have become actively targeted, including a Microsoft Outlook privilege escalation issue and a bypass of the Windows SmartScreen security feature, Microsoft said in a bulletin.
The aforementioned Outlook flaw can be “triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server,” Microsoft said. “No user interaction is required.”
Microsoft’s “Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager credential theft,” it said. “Microsoft has released [the bug] to address the critical elevation of privilege vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.”
Cybersecurity blog Krebs on Security noted that a malign actor can send “a booby-trapped email that triggers automatically when retrieved by the email server—before the email is even viewed in the Preview Pane.”
“The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password,” Kevin Breen, director of cyber threat research at Immersive Labs, told the blog. “This is on par with an attacker having a valid password with access to an organization’s systems.”
For the SmartScreen critical flaw, it likely “means that malicious files that would usually be rendered harmless, for example by having built-in macro code suppressed, might be able to spring into life unexpectedly when viewed or opened,” said cybersecurity website Sophos. “Once again, the update will bring you back on par with the attackers, so: Don’t delay/Patch it today.”
Earlier this week, Adobe also released eight patches addressing about 105 security problems across a number of its products, including Photoshop, Illustrator, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, and Cloud Desktop Application. On Thursday, CISA warned that ColdFusion’s bug is now being exploited, while Adobe noted that the company “is aware that [the bug] has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.”
And earlier this month, a nonprofit security group issued an advisory telling Google Android smartphone users to update their systems as soon as possible due to “multiple vulnerabilities” that could allow for an attacker to remotely install programs or delete data.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” an Android bulletin states. “User interaction is not needed for exploitation.”