The IT Nerd

The Canadian Government is urging users of Microsoft operating systems to install all the patches that came out as part of Microsoft’s Patch Tuesday dump to fix a vulnerability where a malicious email can pwn you even before you open the email in question:

The Canadian Centre for Cyber Security is warning about a significant vulnerability impacting Microsoft email users that allows threat actors to steal victims’ identities.

The alert sent out Wednesday says the advisory from Microsoft was one of “several critical vulnerabilities” published by the company the day before.

“We are flagging this alert this evening due to the seriousness of the vulnerability,” a spokesperson for the Cyber Centre said in an email to Global News Wednesday.

The advisory in question, dubbed CVE-2023-23397 by Microsoft, disclosed a zero-day vulnerability found in an email crafted by threat actors that contains a malicious payload, the agency said.

That payload will cause the victim’s Outlook email client to automatically connect to a universal naming convention agent controlled by the actor who will then receive the user’s password hash, which contains login credentials.

Microsoft users are being advised to install newly-pushed security patches immediately to protect themselves from the vulnerability.

I’ve rarely seen a Patch Tuesday where there has been critical patch after critical patch that users are urged to install. My suggestion would be not to treat this batch of Patch Tuesday updates as trivial. Instead, I would get about patching all the things ASAP because it’s a safe bet that threat actors are going to exploit these vulnerabilities, if they haven’t already.

I say that because Microsoft used Patch Tuesday to correct a zero-day bug in the Windows SmartScreen anti-malware web service that was allowing hackers to deliver malware without users noticing. Tracked as CVE-2023-24880, this vulnerability allowed the hackers to prevent security alerts from popping up and warning users when opening malicious files from the Internet.

The exploit was discovered by Google’s Threat Analysis Group (TAG) and reported to Microsoft on February 15. The exploit uses malicious MSI files that were signed with a specially crafted Authenticode signature that would cause SmartScreen to fail and not alert the user. TAG points out that the real issue here is that Microsoft had “narrowly” patched a similar vulnerability, CVE-2022-44698, back in December, but as they pointed in out in their blog post this week:

“This security bypass is an example of a larger trend Project Zero has highlighted previously: vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants,”

“When patching a security issue, there is tension between a localized, reliable fix and a potentially harder fix of the underlying root cause issue. Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug.

Morten Gammelgaard, EMEA, co-founder, BullWall had this to say:

   “The fact is, malicious actors will always find a way to get into your network. Microsoft had patched this vulnerability last December only to see the threat actors change direction and find a new way in. There is no final fix for network security. As we saw in a recent LA Housing Authority ransomware attack,  the LockBit group was in that network for an entire year before they took action and encrypted the network. 

   “Even Elon Musk had his spaceship designs stolen and held for ransom recently. And if you think no one will notice your small business, they will probably notice your suppliers and either shut down your supply chain or move laterally into your network itself.”

If you’re wondering where the Elon Musk reference comes from, this will help you to get up to speed on that. But in any case, given that this is a significant vulnerability that you need to get about patching ASAP.