Microsoft’s March 2023 Patch Tuesday update is being released, addressing a total of 80 security vulnerabilities, with two of them actively exploited. Of the 80 issues, eight are classified as Critical, 71 as Important, and one as Moderate. This follows Microsoft’s recent fixes for 29 flaws in its Chromium-based Edge browser.

The actively exploited vulnerabilities include a Microsoft Outlook privilege escalation flaw (CVE-2023-23397, CVSS score: 9.8) and a Windows SmartScreen security feature bypass (CVE-2023-24880, CVSS score: 5.1).

CVE-2023-23397 can be triggered by sending a malicious email, which automatically activates when processed by the Outlook client for Windows, without requiring user interaction or even previewing the message. The flaw, reported by the Ukrainian Computer Emergency Response Team (CERT-UA), has been used in limited targeted attacks by a Russia-based threat actor against European government, transportation, energy, and military sectors.

CVE-2023-24880 involves a security bypass vulnerability that can be exploited to circumvent Mark-of-the-Web (MotW) protections for untrusted files downloaded from the internet. This is the result of a previous narrow patch, which allowed attackers to quickly find a different variant of the original bug. Google Threat Analysis Group (TAG) researcher Benoit Sevens highlighted the issue in a report, noting that over 100,000 downloads of malicious MSI files were observed since January 2023, primarily affecting users in Europe.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added these flaws to the Known Exploited Vulnerabilities (KEV) catalog and announced a new pilot program to warn critical infrastructure entities about vulnerabilities related to known ransomware exploitation.

Microsoft also resolved several critical remote code execution vulnerabilities in the HTTP Protocol Stack (CVE-2023-23392, CVSS score: 9.8), Internet Control Message Protocol (CVE-2023-23415, CVSS score: 9.8), and Remote Procedure Call Runtime (CVE-2023-21708, CVSS score: 9.8).

Other notable fixes include patches for four Windows Kernel privilege escalation bugs, 10 remote code execution flaws in Microsoft PostScript and PCL6 Class Printer Driver, and a WebView2 spoofing vulnerability in the Edge browser.

Additionally, Microsoft addressed two information disclosure flaws in OneDrive for Android (CVE-2023-24882 and CVE-2023-24923, CVSS scores: 5.5), one spoofing vulnerability in Office for Android (CVE-2023-23391, CVSS score: 5.5), one security bypass bug in OneDrive for iOS (CVE-2023-24890, CVSS score: 4.3), and one privilege escalation issue in OneDrive for macOS (CVE-2023-24930, CVSS score: 7.8).

Finally, Microsoft issued patches for two high-severity vulnerabilities in the Trusted Platform Module (TPM) 2.0 reference library specification (CVE-2023-1017 and CVE-2023-1018, CVSS scores: 8.8) that could result in information disclosure or privilege escalation.