Thanks to the exact four-week length of February this year, last month’s coincidence of Firefox and Microsoft updates happened once again.
Last month, Microsoft dealt with three zero-days, meaning security holes cybercriminals found first and figured out how to abuse them in real-world attacks before a patch was available.
(name zero dayor just 0 daysRemind me that even the most progressive and proactive Patchers among us enjoyed exactly 0 days of periods when we could have been ahead of the cheaters 😉
In March 2023, there are two zero-day fixes. eyesightand other windows smart screen.
Interestingly for a bug found in the wild, Microsoft reported it rather blandly: Abuse detectedOutlook deficiencies are jointly acknowledged. CERT-UA (Ukrainian Computer Emergency Response Team), Microsoft Incident Response and Microsoft Threat Intelligence.
You can make it whatever you like.
Outlook EoP
dubbed this bug CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability (EoP) is explanation As follows:
An attacker who successfully exploited this vulnerability could gain access to a user’s Net-NTLMv2 hash, which could be used as the basis for an NTLM relay attack against other services to authenticate the user. […]
An attacker could exploit this vulnerability by sending a specially crafted e-mail that is triggered automatically when retrieved and processed by the Outlook client. This could be exploited before the email is viewed in the preview window. […]
External attackers can send specially crafted emails that direct victims to an external UNC location controlled by the attacker. This leaks the victim’s Net-NTLMv2 hash to the attacker, who can forward it to another service and authenticate as the victim.
Just to explain (as far as I can guess given that there are no details of the attack going on).
Net-NTLMv2 authentication, simply referred to as NTLM2, works roughly as follows.
- where you want to connect Sending 8 or more random bytes known as challenge.
- your computer Generates 8 random bytes by itself..
- you Compute the HMAC-MD5 keyed hash of the two challenge strings. It uses hashes of securely stored passwords as keys.
- you Send a keyed hash and an 8-byte challenge..
- On the other end, now that we have both an 8-byte challenge and one-time response, we can: Recalculate the keyed hash and check the response..
Because you actually have a hash with two keys. One mixes two 8-byte random challenge numbers and the other mixes additional data including username, domain name and current time.
However, the basic principles are the same.
Neither actual passwords nor stored password hashes (e.g. in Active Directory) are transmitted, so they cannot be leaked in transit.
Also, since both parties will be injecting 8 bytes of randomness each time, this prevents surreptitiously reusing the previous challenge string in the hopes that it will end up with the same key hash as in the previous session.
(Wrapping the time and other logon-related data will make the so-called replay attackHowever, we ignore these details here.)
sit in the middle
As you can imagine, given that an attacker can be tricked into “loging on” to a bogus server (and get a glimpse of just how bogus it is when you read a booby-trapped email, or worse, when Outlook starts processing on your behalf), it’s valid. A single NTLM2 response leaks.
This response is intended to prove to the other party that you do indeed know the password for the account you claim, as well as that you are not reusing your previous answer (because the challenge data is mixed). .
So, as Microsoft warned, an attacker who could time it correctly could start authenticating to the real server without knowing the password or hash to get an 8-byte start challenge from the real server.
…and the moment you’re tricked into trying to log in to a fake server, it passes the challenge back to you.
Then, by calculating a keyed hash and sending it back as “proof that I now know my own password”, the crooks can pass the correctly computed response back to the genuine server they are trying to infiltrate. Trick the server into accepting them as if they were you.
In short, even if an attack takes a lot of try, time, and luck, and is very unlikely to work, the attack will fail. “Abuse detected”.
That is, the attack can work, and has been successful at least once against an unsuspecting victim who is dangerous or has done nothing wrong.
Bypass SmartScreen Security
the second zero day CVE-2023-24880and this is almost explanation itself: Windows SmartScreen Security Feature Bypass Vulnerability.
In short, Windows usually tells files that arrive over the Internet, “This file is from outside. Treat it with kid’s gloves and don’t trust it too much.”
The where-it-cam-from flag is internet zone It tells Windows how much to trust the contents of the file when the file is used in the future.
Recently Zone ID (For what it’s worth, ID 3 stands for “on the Internet.”) It’s usually referred to by a more dramatic and memorable name. mark of the webor MotW briefly.
Technically, this realm ID goes along with the file. Alternate Data Streamor ADS, but the file can only have ADS data if it is stored on an NTFS formatted Windows disk. This protection label is not permanent, because the zone ID is lost if the file is saved to a FAT volume or copied to a non-NTFS drive, for example.
This bug means that some externally incoming files (such as downloads or email attachments) are not tagged with the correct MotW identifier and thus sneakily evade Microsoft’s official security checks.
Microsoft’s public bulletin board We don’t say exactly what types of files (Images? Office documents? PDFs? All?) can infiltrate your network this way, but we warn you very broadly: “Security features like Protected View in Microsoft Office” You can get around it with this trick.
This is speculated to mean that malicious files that would normally be rendered harmless can unexpectedly come to life when viewed or opened, for example by suppressing embedded macro code.
Once again, an update will put you back on par with the attackers. Don’t Procrastinate/Patch Today.
What should I do?
- patch as soon as possible, As mentioned above.
- read all SophosLabs analysis These bugs plus 70+ other patchesIf you are still unsure.
.