One of the vulnerabilities that Microsoft addressed as part of its June 2024 Patch Tuesday updates could be exploited to achieve remote code execution (RCE) without user interaction, Morphisec warns.
Tracked as CVE-2024-30103 (CVSS score of 8.8), the security defect allows attackers to bypass Outlook registry block lists and create malicious DLL files, Microsoft says in its advisory.
“Preview Pane is an attack vector,” the tech giant notes, adding that attack complexity is low and that exploitation over the network is possible. Outlook 2016, Office LTSC 2021, 365 Apps for Enterprise, and Office 2019 are affected.
While Microsoft rates the vulnerability as ‘important’, Morphisec, whose researchers discovered the bug, considers it ‘critical’, warning that attackers might soon start exploiting it specifically because it does not require user interaction.
“Rather, execution initiates when an affected email is opened. This is notably dangerous for accounts using Microsoft Outlook’s auto-open email feature,” the cybersecurity firm notes.
The RCE flaw, Morphisec says, could be exploited to exfiltrate data, gain unauthorized access to systems, and perform other malicious activities.
“This Microsoft Outlook vulnerability can be circulated from user to user and doesn’t require a click to execute,” Morphisec adds.
According to the cybersecurity firm, creating an exploit for this zero-click vulnerability is straightforward, which makes it susceptible for mass exploitation for initial access.
“Once an attacker successfully exploits this vulnerability, they can execute arbitrary code with the same privileges as the user, potentially leading to a full system compromise,” Morphisec says.
The company plans on releasing technical details and a proof-of-concept (PoC) exploit at the DEF CON conference this summer.
Users are advised to update their Outlook clients as soon as possible. Threat actors are known to have used zero-click Outlook exploits in attacks before.
On Tuesday, Microsoft released patches for over a dozen remote code execution vulnerabilities in its products, including a critical-severity flaw in Microsoft Message Queuing (MSMQ).
Related: New NTLM Hash Leak Attacks Target Outlook, Windows Programs
Related: Outlook Plays Attacker Tunes: Vulnerability Chain Leading to Zero-Click RCE
Related: Microsoft Makes Second Attempt to Patch Recent Outlook Zero-Day
Related: Microsoft Expands List of Blocked File Types in Outlook on the Web
