Alert essentials:
Microsoft’s November Patch Tuesday released a remote Windows Defender SmartScreen bypass patch. This previous zero-day is still under exploitation as many teams haven’t had an opportunity to apply the recently released fix. Yet researchers reverse-engineered the patch, and the Proof-of-Concept code is now available; patch devices as soon as possible following organizational patch-management policies.
Detailed threat description:
A tool to help protect against phishing, malicious websites and applications, and harmful downloads from the Internet was integrated into server operating systems and Windows 10 and 11 OSs. Microsoft’s Windows Defender SmartScreen checks for malicious applications, installers, and malicious websites accessed in the browser.
A zero-day exploit recently seen in the wild gives threat actors a bypass to critical Windows Defender checks and warnings. Remote hackers trick users into clicking on a hyperlink that redirects the victim to a malicious website without that user receiving any SmartScreen warnings. Or the user’s click could trigger harmful code execution that distributes malicious payloads.
This remote attack is not complex, nor does it require any credentials. The third Windows Smart Screen zero-day in 2023 was patched in November, yet it is still actively exploited. The released patch was reverse-engineered to complicate matters further, and a Proof-of-Concept (PoC) exploit is now available. It is strongly recommended that all vulnerable systems be patched immediately!
Impacts on healthcare organizations
An avenue to weaponize a flaw is created when Proof-of-Concept code is available for a vulnerability. Weaponizing a weakness is a means of turning the vulnerability into an attack tool with unknown intentions that can be deployed in the wild. That scenario can result in the exfiltration of data, the loss of access to life-saving technology, and many other possibilities. Remain vigilant to cyber dangers and be aware of hyperlinks. Verify their redirection by hovering over and reading the URL of the link destination before clicking.
Affected products / versions
- Windows 10
- Windows 11
- Windows Server 2008, all 32-bit and 64-bit versions
- Windows Server 2012
- Windows Server 2012 (Server Core Installation)
- Windows Server 2012 R2
- Windows 2012 R2 (Server Core Installation)
- Windows Server 2016
- Windows Server 2019
- Windows Server 2019 (Server Core Installation)
- Windows Server 2022 (Server Core Installation)
- Windows Server 2022, 23H2 Edition (Server Core Installation)
CVE
- CVE-2023-36025
KB
- 5032249,5032249,5032247,5032247,5032252,5032250,5032252,5032250,5032254, 5032248,5032254,5032248,5032254,5032248,5032254,5032248,5032197,5032197,
5032197,5032197,5032199,5032199,5032202,5032190,5032190,5032189,5032189, 5032189,5032190,5032190,5032189,5032189,5032189,5032192,5032192,5032198, 5032304,5032198,5032304,5032196,5032196,5032196,5032196,5032196
Recommendations
Engineering recommendations:
- Apply patches to all vulnerable devices
- Ensure there are little-to-no blind spots in EDR saturation
Leadership / program recommendations:
- Educate and familiarize staff on spotting and responding to email phishing attempts
- Plan and develop detailed emergency response and business continuity plans before the loss of technology
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Microsoft Zero-Days Allow Defender Bypass, Privilege Escalation (darkreading.com)
- CVE-2023-36025 – Security Update Guide – Microsoft – Windows SmartScreen Security Feature Bypass Vulnerability
- NVD – CVE-2023-36025 (nist.gov)
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/