Thanks to the precise four-week length of February this year, last month’s coincidence of Firefox and Microsoft updates has happened once again. Last month, Microsoft dealt with three zero-days, by which we mean security holes that cybercriminals found first, and figured out how to abuse in real-life attacks before any patches were available. (The name zero-day, or just 0-day, is a reminder of the fact that even the most progressive and proactive patchers amongst us enjoyed precisely zero days during which we could have been ahead of the crooks.) In March 2023, there are two zero-day fixes, one in Outlook, and the other in Windows SmartScreen. Intriguingly for a bug that was discovered in the wild, albeit one reported rather blandly by Microsoft as Exploitation Detected, the Outlook flaw is jointly credited to CERT-UA (the Ukrainian Computer Emergency Response Team), Microsoft Incident Response, and Microsoft Threat Intelligence. You can make of that what you will.
This article will explain the Outlook EoP vulnerability, and the Windows SmartScreen security bypass vulnerability. To begin, the Outlook Elevation of Privilege Vulnerability (EoP) is a bug that allows an attacker to access a user’s Net-NTLMv2 hash which can be used as the basis of an NTLM Relay attack against another service to authenticate as the user. This is done by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. The attacker can then exploit this vulnerability before the email is viewed in the Preview Pane. This can lead to the victim connecting to an external UNC location of the attacker’s control, leaking the Net-NTLMv2 hash of the victim to the attacker.
Net-NTLMv2 authentication, or NTLM2, works by a location sending 8 random bytes known as a challenge. The client then generates its own 8 random bytes and calculates an HMAC-MD5 keyed hash of the two challenge strings using an existing securely-stored hash of the password as the key. This keyed hash and the 8-byte challenge are sent off. The other end now has both 8-byte challenges and the one-time reply, and can recompute the keyed hash, verifying the response.
In the middle, the attacker can trick the victim into trying to “logon” to their fake server when the booby-trapped email is read, or when Outlook starts processing it on the victim’s behalf. This leads to the victim leaking a single, valid NTLM2 response to the attacker, who can then relay this to another service and authenticate as the victim.
The second zero-day is the Windows SmartScreen Security Feature Bypass Vulnerability. This bug means that some files that come in from outside – for example, downloads or email attachments – don’t get tagged with the right Mark of the Web (MotW) identifier, so they sneakily sidestep Microsoft’s official security checks. This can lead to malicious files that would usually be rendered harmless, such as having built-in macro code suppressed, being able to spring into life unexpectedly when viewed or opened.
Given that these attacks can be made to work and have succeeded at least once against an unsuspecting victim, it is important to patch as soon as possible. SophosLabs has provided an analysis of these bugs and more than 70 other patches to help understand the risk posed by these vulnerabilities.
In conclusion, Microsoft has dealt with two zero-day fixes this month: Outlook Elevation of Privilege Vulnerability (EoP) and Windows SmartScreen Security Feature Bypass Vulnerability. Both of these issues can lead to malicious files being able to bypass security checks and spring into life unexpectedly. To protect against these vulnerabilities, one should patch as soon as possible and read the full SophosLabs analysis of these bugs.