Microsoft's latest Patch Tuesday update includes remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks.The two vulnerabilities that have come under active attack include a Microsoft Outlook privilege escalation flaw (CVE-2023-23397, CVSS score: 9.8) and a Windows SmartScreen security feature bypass (CVE-2023-24880, CVSS score: 5.1).
CVE-2023-23397 is "triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server," Microsoft said in a standalone advisory. A threat actor could leverage this flaw by sending a specially crafted email, activating it automatically when it is retrieved and processed by the Outlook client for Windows. As a result, this could lead to exploitation without requiring any user interaction and before even the message is viewed in the Preview Pane. Microsoft credited the Computer Emergency Response Team of Ukraine (CERT-UA) with reporting the flaw, adding it is aware of "limited targeted attacks" mounted by a Russia-based threat actor against government, transportation, energy, and military sectors in Europe.
These latest updates from Microsoft come as a response to active exploitation of two different vulnerabilities, one affecting Microsoft Outlook and the other affecting the Windows SmartScreen security feature. The Outlook vulnerability, CVE-2023-23397, is a privilege escalation flaw that could be exploited by a threat actor sending a specially crafted email. This email would then be automatically activated when retrieved and processed by the Outlook client for Windows, leading to exploitation with no user interaction required. The other vulnerability, CVE-2023-24880, is a Windows SmartScreen security feature bypass that could be exploited by a threat actor to bypass security warnings and run malicious software. Microsoft has credited the Computer Emergency Response Team of Ukraine (CERT-UA) with reporting the flaw and is aware of active attacks by a Russia-based threat actor against government, transportation, energy, and military sectors in Europe.