Microsoft has patched 80 new security flaws, including two that are actively exploited in real-world attacks. This number matches the 76 bugs it fixed in February; however, this month the number of critical-rated vulnerabilities decreased from 8 to 6.
One such flaw, a zero-day in Windows Print Spooler, could grant attackers elevated privileges – the second such vulnerability this year. According to the NSA, this flaw has already been actively exploited in the wild.
1. Remote Code Execution (RCE) in Windows PowerShell
Microsoft Fixes 80 Security Flaws; Two are Under Active Attack
In the February 2023 Patch Tuesday release, two remotely code execution (RCE) vulnerabilities were patched. These flaws allow attackers to execute arbitrary code on a targeted system and may lead to data theft or other serious harm.
This month’s security update addresses two Remote Code Execution (RCE) vulnerabilities in PowerShell, a task automation tool. The flaw lies in how PowerShell encodes text before deserializing it for consumption.
Microsoft recently posted a blog post outlining the potential risks of an RCE vulnerability, noting that malicious users could leverage it to gain unauthorized access to a target system and extract sensitive data such as passwords and credentials.
Another remote code execution vulnerability in Windows allows a malicious user to write data outside of its allocated memory storage buffer, potentially leading to data corruption or system crash.
Other RCE vulnerabilities identified in this month’s security update include a privilege escalation bug in Adobe ColdFusion and a bypass vulnerability in Microsoft’s Windows SmartScreen software. The latter flaw allows an attacker to circumvent Mark of the Web (MOTW) defenses by sending a specially crafted file. To help detect signs of compromise, the company has released a detection script.
2. Cross-site Scripting (XSS) in Internet Explorer
Cross-site scripting (XSS) is an attack that allows malicious code to be embedded into web pages. This could allow them to steal session tokens and carry out various actions on behalf of the user without their knowledge or consent.
XSS (Xenuscriptable Stylesheet Submission) is one of the most serious threats to internet users, particularly those who store sensitive data or handle confidential information. Fortunately, mitigating this risk with some straightforward techniques is relatively straightforward.
First, ensure your web servers are using a Content Security Policy (CSP). This prevents scripts outside the web application from communicating with it and should render most XSS attacks harmless.
Another way to protect against XSS attacks is by implementing Same Origin Policy (SOP) on your web server, which ensures all content on a webpage must originate from one source. Although this security measure should be enforced, it’s not always implemented.
The second way to mitigate XSS attacks is by adding security features to your web applications that block malicious code from execution. These could include enforcing a Content Security Policy or using an authentication method.
Finally, browser extensions can protect users from certain XSS attacks. These are highly effective and available for most major browsers such as Chrome, Edge and Firefox.
Microsoft recently fixed 80 new security flaws on March Patch Tuesday, two of which were zero-day bugs that have been exploited in the wild. Four of these vulnerabilities had a CVSS v3.1 score above 9, making them critical in severity; 71 flaws had moderate severity while one was low severity. These fixes affect various software packages such as Microsoft Office and Internet Explorer.
3. VML Hole in Internet Explorer
Microsoft today released patches for 80 new security flaws. One of these fixes closes a VML hole in Internet Explorer which could be exploited by hackers to steal data from users.
Microsoft warns that a vulnerability in the way IE handles VML graphics could lead to a stack overflow and allow arbitrary code execution on the system. This flaw affects Internet Explorer versions 5.0 and 6.0, as well as Windows 7 and 8.
This flaw lies within the VML DLL ActiveX control used by the browser, which permits remote code execution of two-dimensional images similar to those produced by Adobe Photoshop or Corel Draw software.
Although this vulnerability has yet to be actively exploited, it raises serious concerns that criminals could use it to infiltrate vulnerable systems without user interaction. This would enable them to steal a user’s login credentials or install malware onto the machine without detection.
To combat this threat, it’s recommended that Active Scripting be disabled in Internet Explorer to block malicious code from being executed on the system. Furthermore, only reading email in plain text should be done whenever possible in order to prevent exploits from being delivered via HTML email.
Microsoft must immediately patch this critical vulnerability, as it poses a grave danger to users. It’s worth noting that an attacker who successfully exploits this flaw through email has much easier access than if they used Internet Explorer; therefore, disabling scripting in IE and not opening emails sent in plain text format are recommended.
4. Remote Code Execution (RCE) in Windows Network File System (NFS)
RCE attacks pose a significant danger to network security. They enable hackers to execute malicious code on systems with arbitrary access, potentially leading to system compromise or the disruption of services.
This type of attack occurs when applications that evaluate user input accept untrusted data. Therefore, it is crucial to sanitize all input before processing it.
A flaw in the Windows Network File System (NFS) causes a buffer overflow when it calculates response message sizes. This vulnerability only impacts NFS version 4.
Remote, authenticated attackers could leverage this vulnerability by sending a specially crafted NFS COMPOUND request and running arbitrary code. Unfortunately, it remains uncertain if the vulnerability is active or if any known malware uses this approach to infiltrate networks and steal credentials.
To protect against RCE attacks, practice safe computer practices and keep software and programs up to date. Furthermore, avoid opening email attachments or clicking links from unknown sources.
Furthermore, keep your software up to date and perform regular vulnerability scans to identify any flaws hackers may attempt to exploit.
To protect against RCE vulnerabilities, the best practice is to employ secure computer practices, patch your systems and monitor network activity. While these steps can significantly reduce the likelihood of an attack from RCE, these methods aren’t foolproof – cybercriminals still find ways to access systems and RCE is just one among many security risks a company could encounter.
5. Remote Code Execution (RCE) in Windows PowerShell
Microsoft’s most recent Patch Tuesday update addressed at least 80 security flaws in its Windows OS and Chromium-based Edge browser, according to security researchers. Two of those fixes are currently under active attack in the wild.
One of the flaws is a remote code execution (RCE) vulnerability that allows attackers to run malicious code on compromised systems. With this power, hackers are able to perform network reconnaissance and steal data. They could also leverage privilege escalation attacks in order to take over the system and access sensitive information.
Another security flaw is a memory wellbeing attack that leverages data serialization and deserialization to conceal malicious code. This makes it difficult to discover and confirm what the malicious code is intended for before it executes.
Microsoft PowerShell contains a remote code execution vulnerability, which could allow an attacker to gain remote access to a server with a remote execution policy enabled. This can be an effective way of guarding against command injection attacks on the system.
Though many threats are designed to avoid logging, the Microsoft event viewer and ScriptBlock logging features can be invaluable tools for monitoring attacker activity. Therefore, it is essential that logging be enabled and that your event viewer remains up-to-date.
In addition to logging, administrators can also create constrained run spaces on remote endpoints that limit users to specific commands. These policies grant administrators control over which commands are executed on the endpoint; however, these spaces remain vulnerable to command injection attacks.
Remote code execution vulnerabilities have become a popular tool among threat actors to evade detection, blend in with normal administration tasks and leave less artifacts on targeted computers. Furthermore, this enables them to gain a foothold within an enterprise network without physical access is required.