Η Microsoft και άλλες εταιρείες λογισμικού κυκλοφορήσαν τις μηνιαίες ενημερώσεις για τον μήνα Μάρτιο. Συνολικά η Microsoft έχει επιδιορθώσει 101 ευπάθειες και οι δύο από αυτές είναι zero-days. Επιπλέον, η Adobe επιδιόρθωσε ένα zero-day στο ColdFusion.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed (zero-day) security flaws. The CVEs are:
CVE-2023-23397: a critical Microsoft Outlook Elevation of Privilege (EoP) vulnerability. External attackers could send specially crafted emails to induce a connection from the victim to an external UNC site that they control. This would leak the victim's Net-NTLMv2 hashes to the attacker, who could then verify the victim's identity.
The vulnerability could be used for "pass-the-hash" attacks.
CVE-2023-24880: a moderate Windows SmartScreen security feature bypass vulnerability. An attacker could create a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in limited integrity of security features such as Protected View in Microsoft Office that rely on MOTW. This vulnerability has reportedly been used in ransomware-related attacks.
CVE-2023-26360: ranked as a #1 priority vulnerability in Adobe ColdFusion. The vulnerability could lead to arbitrary code execution.
Adobe says it is aware that CVE-2023-26360 has already been exploited online in very limited attacks targeting Adobe ColdFusion.
The company recommends updating the ColdFusion 2021 and 2018 JDK/JRE versions to the latest LTS release for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.