Every second Tuesday of the month, Microsoft and Adobe release their monthly updates. This regular event is known as “Patch Tuesday” and is an opportunity for vendors to fix any vulnerabilities and improve the security of their products. The latest Patch Tuesday, on April 11, 2023, saw Microsoft and Adobe fix several critical vulnerabilities, including two actively exploited zero-days.
Microsoft has fixed a total of 101 vulnerabilities for several titles, including Edge. Two of these vulnerabilities were actively exploited zero-days. On top of that, Adobe has fixed an actively exploited vulnerability in ColdFusion. These updates address publicly disclosed computer security flaws, which are listed in the Common Vulnerabilities and Exposures (CVE) database.
One of the actively exploited vulnerabilities patched in these updates is CVE-2023-23397. This is a critical Microsoft Outlook Elevation of Privilege (EoP) vulnerability that allows external attackers to send specially crafted emails to cause a connection from the victim to an external UNC location of the attacker’s control. This would leak the Net-NTLMv2 hash of the victim to the attacker who could then relay this to another service and authenticate as the victim. The mail would be triggered automatically when retrieved and processed by the Outlook client, which could result in exploitation even before the email is viewed in the Preview Pane. This vulnerability could be used to obtain a hashed token, which could then be used in a so-called “pass-the-hash” attack.
Another vulnerability is CVE-2023-24880, which is a moderate Windows SmartScreen Security Feature Bypass vulnerability. An attacker could craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. This vulnerability was reportedly used in ransomware-related attacks.
The third vulnerability is classified as a priority 1 vulnerability in Adobe ColdFusion due to critical deserialization of untrusted data. This flaw can lead to arbitrary code execution, making it a high-priority target for attackers. Adobe says it is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion. Adobe recommends updating your ColdFusion versions 2021 and 2018 JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.
It is crucial to note that keeping your systems up to date is essential in mitigating the risks associated with these vulnerabilities. It is also crucial to apply vendor-recommended security configurations and settings as outlined on the vendor’s security pages, as well as review the respective Lockdown guides.
Other vendors have synchronized their periodic updates with Microsoft. SAP has released security updates for 19 vulnerabilities, five of which were rated as critical. It is essential to keep all systems up to date with the latest patches to mitigate the risk of cyberattacks.
In conclusion, Patch Tuesday is an opportunity for vendors to improve the security of their products by fixing vulnerabilities. The latest Patch Tuesday saw Microsoft and Adobe fix several critical vulnerabilities, including two actively exploited zero-days. It is crucial to apply these patches as soon as possible to reduce the risk of cyberattacks. It is also essential to keep all systems up to date with the latest patches and to apply recommended security configurations and settings. Stay safe online by keeping your systems up to date and following best practices in cybersecurity.