A total of 83 vulnerabilities have been addressed in this month’s patch Tuesday security updates from Microsoft, including two zero-day flaws, and nine vulnerabilities rated as critical severity. Four of these critical severity vulnerabilities specifically affecting Windows 11, and one affecting Microsoft Office, have been included in Microsoft Defender’s default new vulnerabilities notifications sent to customers to inform them of the flaws. This includes the critical elevation of privilege vulnerability CVE-2023-1017 which affects the Windows boot security hardware TPM 2.0 module library.  

The other three critical severity Windows 11 flaws that Microsoft has warned customers about are all remote code execution vulnerabilities that can be exploited by an unauthenticated attacker without any need for user interaction with CVSS base scores of 9.8. HTTP Protocol Stack vulnerability CVE-2023-23392 could be exploited by a remote attacker sending a specially crafted packet to the server that uses the vulnerable http.sys protocol stack to process packets, leading to arbitrary code execution. CVE-2023-23415 is an Internet Control Message Protocol (ICMP) vulnerability that can only be exploited if an application on the victims’ machine is bound to a raw socket. This allows for an attacker to send a malicious ICMP packet that contains a low-level protocol error containing a fragmented IP packet in its header, which triggers a vulnerable code path leading to remote code execution. Remote Procedure Call (RPC) Runtime vulnerability CVE-2023-21708 can be exploited by an attacker sending a malicious RPC call to an RPC host. When this call is run on the server side, it will be executed with the same permissions as the RPC service. A potential mitigation for this is to block the TCP port 135 with a perimeter firewall to prevent RPC calls. 

The critical severity Microsoft Office vulnerability, CVE-2023-23397 is one of the two zero-day vulnerabilities addressed in these updates. Exploitation has been detected in the wild for this flaw, which can be remotely exploited by an unauthenticated attacker without any interaction from a user. This is an elevation of privilege vulnerability that occurs in Microsoft Outlook and can be exploited by an attacker sending a malicious email crafted to trigger automatically when received and processed by the Outlook client. This means that the attack can begin before the email is viewed in the preview pane. A connection is caused from the target to an external UNC that will provide the attacker with access to the Net-NTLMv2 hash of the victim. This allows the attacker to authenticate as their victim in an NTLM Relay attack which can be used to target another service. 

The second zero-day flaw patched in these updates is medium severity vulnerability CVE-2023-24880, which has a CVSS base score of 5.4/10. Despite this low severity rating, this flaw has been actively exploited in ransomware attacks, in which the vulnerability is exploited in order to bypass Windows SmartScreen, a cloud-based anti-virus service, to allow the attacker to deploy Magniber ransomware payloads on the target without detection. As well as active exploitation, exploit code for this vulnerability has also been publicly disclosed. An attacker can utilise this security feature bypass flaw to send malicious files to their victim that avoid detection as Mark of the Web (MOTW) despite being assigned this tag correctly by their device. The MOTW is added as an NTFS stream to the file which when run is checked by Windows SmartScreen. This is checking for an attached zone identifier Alternate Data Stream (ADS) on the file, which should be ZoneId=3 for files that have been downloaded from the internet. The exploit of this vulnerability means that this SmartScreen reputation check is bypassed and potentially malicious files from the internet are not properly handled, such as run in protected view, meaning malware payloads can be delivered to the target device.  

All Microsoft and Windows updates can be found on the Security Update Guide and should be applied to all devices as soon as possible to protect from the possibility of an attack.