Experts reveal new details about RCE exploits in Zero-Click Outlook

Zero-Click Outlook RCE Exploits

Technical details have emerged about two now-fixed security flaws in Microsoft Windows that could be linked together by threat actors to remotely execute code on the Outlook email service without any user interaction.

“An attacker on the Internet could chain the vulnerabilities together to create a complete, zero-click remote code execution (RCE) exploit against Outlook clients,” Akamai security researcher Ben Barnea, who discovered the vulnerabilities, said in a two-piece report shared with The Hacker News.

The security issues fixed by Microsoft in August and October 2023 respectively are listed below:

  • CVE-2023-35384 (CVSS score: 5.4) – Windows HTML Platforms security feature bypasses vulnerability
  • CVE-2023-36710 (CVSS Score: 7.8) – Remote Code Execution Vulnerability in Windows Media Foundation Core

CVE-2023-35384 was described by Akamai as a workaround for a critical security flaw that Microsoft patched in March 2023. The flaw, tracked as CVE-2023-23397 (CVSS Score: 9.8), involves an escalation of privilege case that could potentially result in the theft of NTLM credentials and allow an attacker to initiate a relay to carry out an attack.

Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed that a Russian threat actor known as APT28 (aka Forest Blizzard) has been actively weaponizing the bug to gain unauthorized access to victims’ accounts on Exchange servers.

It’s worth noting that CVE-2023-35384 is also the second patch bypass after CVE-2023-29324, which was also discovered by Barnea and subsequently patched by Redmond as part of the May 2023 security updates.

“We found another workaround to the original Outlook vulnerability – a workaround that once again allowed us to force the client to connect to an attacker-controlled server and download a malicious sound file,” Barnea said.

CVE-2023-35384, like CVE-2023-29324, is rooted in parsing a path through the MapUrlToZone function which can be exploited by sending an email containing a malicious file or URL to an Outlook client.

“A security feature exists that bypasses a vulnerability when the MSHTML platform fails to validate the correct security zone of requests for specific URLs. This could allow an attacker to cause a user to access a URL in a less restricted Internet security zone than the intention,” Microsoft said. in his advice.

In addition, the vulnerability can not only be used to leak NTLM credentials, but can also be coupled with the sound parsing flaw (CVE-2023-36710) to download a custom sound file that, when automatically played with the reminder sound feature of Outlook, lead to zero-click code execution on the victim’s machine.

CVE-2023-36710 affects the Audio Compression Manager (ACM) component, a legacy Windows multimedia framework used to manage audio codecs, and is the result of an integer overflow vulnerability that occurs when playing a WAV file.

“We finally managed to activate the vulnerability using the IMA ADP codec,” Barnea explains. “The file size is approximately 1.8 GB. By performing the mathematical limit operation on the calculation, we can conclude that the smallest possible file size with IMA ADP codec is 1 GB.”

To mitigate risk, organizations are recommended to use micro-segmentation to block outbound SMB connections to external public IP addresses. Moreover, it was also advised to disable NTLM or add users to it Security group Protected usersthat prevents the use of NTLM as an authentication mechanism.


#Experts #reveal #details #RCE #exploits #ZeroClick #Outlook

Notify of
Inline Feedbacks
View all comments
Previous Post
Play Ransomware

Double extortion Play ransomware affects 300 organizations worldwide

Next Post
SaaS Security in 2024

Top 7 trends shaping SaaS security in 2024

Related Posts