by Thanks to the precise four-week length of February this year, the coincidence of Firefox and Microsoft updates happened again last month.
Last month Microsoft took a look at three zero-days, ie vulnerabilities that cybercriminals found first, and figured out how to exploit them in real-world attacks before patches were available.
(The name zero dayor only 0 dayis a reminder of the fact that even the most sophisticated and proactive patchers among us have enjoyed exactly zero days when we could have been ahead of the crooks.)
There are two zero-day fixes in March 2023, one in outlookand the other in Windows SmartScreen.
Intriguing for a bug discovered in the wild, albeit reported as rather sober by Microsoft exploitation detectedthe Outlook error is jointly attributed to CERT-UA (Ukrainian Computer Emergency Response Team), Microsoft Incident Response and Microsoft Threat Intelligence.
You can make whatever you want out of it.
Outlook EOP
This error, called CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability (EoP), is described as follows:
An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash, which could be used as the basis for an NTLM relay attack against another service to authenticate as a user. […]
The attacker could exploit this vulnerability by sending a specially crafted email that is automatically triggered when retrieved and processed by the Outlook client. This could lead to an exploit BEFORE the email is shown in the preview pane. […]
External attackers could send specially crafted emails that establish a connection from the victim to an external UNC location under the attacker’s control. This passes the victim’s Net-NTLMv2 hash to the attacker, who can then forward it to another service and authenticate themselves as the victim.
To explain (as far as we can guess since we don’t have any details about the attack).
Net-NTLMv2 authentication, which we call NTLM2 for short, works something like this:
- The location you are connecting to sends over 8 random bytes known as a Challenge.
- your computer generates its own 8 random bytes.
- You Compute an HMAC-MD5 keyed hash of the two challenge strings Use an existing, securely stored hash of your password as the key.
- You Submit the encrypted hash and your 8 byte challenge.
- The other end now has both 8-byte challenges and your one-time answer, so it can Recompute the encrypted hash and check your answer.
There’s actually a bit more to it as there are actually two key hashes, one shuffles the two 8 byte random numbers and the other shuffles additional data including your username, domain name and the current time.
But the basic principle is the same.
Neither your actual password nor the stored hash of your password, for example from Active Directory, is ever transmitted, so it cannot leak out in transit.
Also, both sides can insert 8 bytes of their own randomness each time, which prevents either party from secretly reusing an old challenge string in hopes of ending up with the same encrypted hash as in a previous session.
(Enclosing the time and other login-specific data provides additional protection against so-called repeat attacksbut we ignore those details here.)
Sit in the middle
As you can imagine, the attacker can trick you into “logging in” to their fake server (either when you read the booby-trapped email or, worse, when Outlook starts processing it on your behalf before even a glimpse of how bogus it might look), end up giving a single valid NTLM2 response.
This answer is intended to prove to the other end not only that you really know the password of the account you claim is yours, but also (due to the challenge data mixed in) that you’re not just reusing a previous answer.
As Microsoft warns, if the timing is right, an attacker could potentially begin to authenticate against a real server like you without knowing your password or its hash, only to receive an 8-byte boot prompt from the real server …
…then hand that challenge back to you once you’re tricked into logging into their fake server.
If you then calculate the key hash and send it back as your “proof that I now know my own password”, the crooks may be able to forward this correctly calculated answer to the real server they are trying to infiltrate, and so around that server to do so to make you accept them as if they were you.
In short, you’re dying to patch against this patch because even if the attack takes a lot of tries, time and luck, and it’s not very likely to work, we already know it’s one “exploitation detected”.
In other words, the attack can be made to work and has been successful at least once against an unsuspecting victim who hasn’t done anything risky or wrong themselves.
SmartScreen security bypass
The second zero day is CVE-2023-24880and this one pretty much describes itself: Vulnerability to bypass the Windows SmartScreen security feature.
Simply put, Windows typically tags files arriving over the Internet with a flag that says, “This file came from outside; Treat it with kid gloves and don’t trust it too much.”
This where-it-is-from flag was formerly known as a file internet zone ID, and it reminds Windows how much (or how little) trust it should place in the contents of that file when used later.
These days the Zone ID (for what it’s worth, an ID of 3 means “from the internet”) is usually referred to by the more dramatic and memorable name sign of the webor MotW short.
Technically, this zone ID is stored together with the file in a so-called Alternate data streamor To sue, but files can only contain ADS data when stored on NTFS-formatted Windows disks. For example, if you save a file to a FAT volume or copy it to a non-NTFS drive, the zone ID is lost, so this protection marking is not permanent.
This error means that some files coming in from outside – for example downloads or email attachments – are not tagged with the correct MotW identifier, allowing them to stealthily bypass Microsoft’s official security checks.
Microsoft’s public bulletin doesn’t say exactly what types of files (images? Office documents? PDFs? all?) can be introduced into your network in this way, but it warns very broadly “Security features like Protected View in Microsoft Office” can be bypassed with this trick.
We suspect that malicious files that would normally be rendered harmless, for example by suppressing built-in macro code, may come to life unexpectedly when viewed or opened.
The update once again puts you on par with the attackers, so: Don’t hesitate and patch it today.
What to do?
- patch as soon as possible, as we just said above.
- Read the full SophosLabs analysis of these bugs and more than 70 other patchesif you are still not convinced.
