Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Microsoft addressed 74 CVEs through the 2023 March Patch Tuesday

8 min. read

Updated onOctober 4, 2023

updated onOctober 4, 2023

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Key notes

Spring is officially here, but not everything comes down to flowers and baby rabbits. There are those who eagerly await Microsoft’s Patch Tuesday rollout.

And, as you know, it’s the second Tuesday of the month, which means that Windows users are looking towards the tech giant in hopes that some of the flaws they’ve been struggling with will finally get fixed.

We have already taken the liberty of providing thedirect download linksfor the cumulative updates released today for Windows 7, 8.1, 10, and 11, but now it’s time to talk CVEs again.

For March, Microsoft released 74 new patches, one less than last month, which is still more than some people were expecting for the third month of 2023.

These software updates address CVEs in:

You probably want to know more on the matter, so let’s dive right into it and see what all the fuss is about this month.

74 new patches released to fix serious security issues

74 new patches released to fix serious security issues

Let’s just say that February was far from being a busy month for Microsoft, and still, they managed to release a total of 75 updates.

However, it seems that the situation isn’t getting any better, since the tech giant released only one less update this month, for a total of 74.

Please keep in mind that, out of all the patches released today, six are rated Critical, 67 are rated Important, and only one is rated Moderate in severity.

Furthermore, remember that this is one of the largest volumes we’ve seen from Microsoft for a March release in quite some time.

We have to say that it is a bit unusual to see half of the Patch Tuesday release address remote code execution (RCE) bugs.

It’s important to be aware that two of the new CVEs are listed as under active attack at the time of release with one of those also being listed as publicly known.

That being said, let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack.

Let’s look atCVE-2023-23397for one second. Even though technically a spoofing bug, experts consider the result of this vulnerability to be an authentication bypass.

Thus, it allows a remote, unauthenticated attacker to access a user’s Net-NTLMv2 hash just by sending a specially crafted e-mail to an affected system.

CVE-2023-23392could actually allow a remote, unauthenticated attacker to execute code at system level without user interaction.

Know that combination makes this bug wormable, at least through systems that meet the target requirements, and the target system needs to have HTTP/3 enabled and set to use buffered I/O.

There’s a CVSS 9.8 bug in RPC Runtime that also has some wormable potential. That being said, unlike ICMP, it is a good idea to block RPC traffic (specifically TCP port 135) at the perimeter.

Also, there’s a fair amount of Elevation of Privilege (EoP) bugs receiving patches this month, and the majority of these require the attacker to execute their code on a target to escalate privileges.

Moving on to the information disclosure vulnerabilities receiving patches this month, the vast majority simply result in info leaks consisting of unspecified memory contents.

However, there are a couple of exceptions. The bug in Microsoft Dynamics 365 could leak a verbose error message that attackers could use to create malicious payloads.

And, the two bugs in OneDrive for Android could leak certain Android/local URIs that OneDrive can access.

Once again, you will most likely need to get this patch from the Google Play store if you haven’t configured automatic app updates.

We have to point out that there are three additional DoS fixes released this month. There’s no additional info about the patches for Windows Secure Channel or the Internet Key Exchange (IKE) Extension.

On that note, we can expect a successful exploit of these bugs to interfere with authentication processes, so make sure you keep that in mind at all times.

Feel free to check each individual CVE and find out more about what it means, how it manifests, and what scenarios can malicious third parties use to exploit them.

Have you found any other issues after installing this month’s security updates? Share your experience with us in the comments section below.

More about the topics:patch tuesday

Alexandru Poloboc

Tech Journalist

With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor, as well as TV and radio entertainment show host.

A certified gadget freak, he always feels the need to surround himself with next-generation electronics.

When he is not working, he splits his free time between making music, gaming, playing football, basketball and taking his dogs on adventures.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Alexandru Poloboc

Tech Journalist

With a desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter.