Microsoft has finally released its monthly security update for March 2023, fixing 80 bugs that have been bugging us for a while. Of these, nine are rated as critical, 70 as important, and one as moderate. Two of the bugs are zero-day flaws that have been exploited by hackers who apparently have nothing better to do.

The zero-day bugs are CVE-2023-23397 and CVE-2023-24880. CVE-2023-23397 is a bug in Microsoft Outlook that lets a hacker steal your password by sending you an email. The hacker can then pretend to be you and do all kinds of naughty things. Microsoft says this bug can be exploited before you even open the email, which is just rude¹. CVE-2023-24880 is a bug in Windows SmartScreen that lets a hacker run any code they want on your computer by tricking you into opening a file. Windows SmartScreen is supposed to protect you from malicious files, but apparently it’s not so smart after all².

The critical bugs include five remote code execution (RCE) bugs, three elevation of privilege (EoP) bugs, and one denial of service (DoS) bug. The RCE bugs affect Microsoft Exchange Server, Windows Hyper-V, Windows HTTP Protocol Stack, Windows Kernel, and Windows Point-to-Point Protocol over Ethernet (PPPoE). These bugs let hackers take over your server, your virtual machine, your network connection, your operating system, or your internet access. Basically, they can mess up everything you care about. The EoP bugs affect Microsoft Office Excel, Microsoft Office SharePoint, and Windows Central Resource Manager. These bugs let hackers gain more power on your system than they should have. For example, they can edit your spreadsheets without permission or delete your files without warning. The DoS bug affects Role: DNS Server. This bug lets hackers make your DNS server stop working properly so you can’t access any websites or online services. This might sound like a blessing in disguise if you’re trying to avoid work or social media drama.

The important bugs include 21 EoP bugs, 15 information disclosure bugs, 10 spoofing bugs, nine RCE bugs, eight DoS bugs, six cross-site scripting (XSS) bugs, and one tampering bug. These affect various products such as Azure Client Server Run-time Subsystem (CSRSS), Internet Control Message Protocol (ICMP), Microsoft Bluetooth Driver, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Graphics Component, Microsoft Office Outlook, Microsoft OneDrive, Microsoft PostScript Printer Driver, Microsoft Printer Drivers, Microsoft Windows Codecs Library, Office for Android and Remote Access Service Point-to-Point Tunneling Protocol. These bugs let hackers do things like spy on your data leak your secrets impersonate other people run more code they shouldn’t crash more things they shouldn’t inject more scripts they shouldn’t change more things they shouldn’t.

Microsoft advises users to apply these updates as soon as possible to protect their systems from potential exploitation. Users can download the updates manually from the Microsoft Update Catalog, or use automatic updates or other update management solutions, or they can just hope for the best and pray that nothing bad happens.

References:

1. https://www.tenable.com/blog/microsofts-march-2023-patch-tuesday-addresses-76-cves-cve-2023-23397
2. https://www.zdnet.com/article/microsoft-patches-two-zero-days-in-march-patch-tuesday/
3. https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/
4. https://msrc.microsoft.com/update-guide/releaseNote/2022-Mar
5. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-