Microsoft has released fixes for two vulnerabilities that have been exploited in the wild, including a critical bug in Outlook that affects all versions of Outlook for Windows.
That vulnerability was discovered by the Ukrainian CERT and Microsoft said that an attacker based in Russia has exploited the bug in targeted attacks recently.
“Through joint efforts, Microsoft is aware of limited targeted attacks using this vulnerability and initiated communication with the affected customers. Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe,” Microsoft said in a blog post.
The bug is an elevation of privilege flaw in Outlook related to the way that Outlook handles messages with some specific properties.
“CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required,” the Microsoft post says.
“The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.”
This vulnerability does not affect Outlook on other platforms or Outlook online.
The second vulnerability (CVE-2023-24880) that has been exploited in the wild is a SmartScreen bypass in Windows that affects Windows 10, 11, and many versions of Windows Server.
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” the Microsoft advisory says.
Researchers at Google’s Threat Analysis Group discovered the SmartScreen bypass vulnerability and found that cybercriminals were using it to deliver the Magniber ransomware, mainly to victims in Europe.
“The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet,” Benoit Sevens of TAG said in a post.