Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Zero-Click Outlook Vulnerability That Could Soon Be Exploited

Microsoft’s June 2024 Patch Tuesday updates resolve a zero-click Outlook vulnerability leading to remote code execution.

One of the vulnerabilities that Microsoft addressed as part of its June 2024 Patch Tuesday updates could be exploited to achieve remote code execution (RCE) without user interaction, Morphisec warns.

Tracked as CVE-2024-30103 (CVSS score of 8.8), the security defect allows attackers to bypass Outlook registry block lists and create malicious DLL files, Microsoft says in its advisory.

“Preview Pane is an attack vector,” the tech giant notes, adding that attack complexity is low and that exploitation over the network is possible. Outlook 2016, Office LTSC 2021, 365 Apps for Enterprise, and Office 2019 are affected.

While Microsoft rates the vulnerability as ‘important’, Morphisec, whose researchers discovered the bug, considers it ‘critical’, warning that attackers might soon start exploiting it specifically because it does not require user interaction.

“Rather, execution initiates when an affected email is opened. This is notably dangerous for accounts using Microsoft Outlook’s auto-open email feature,” the cybersecurity firm notes.

The RCE flaw, Morphisec says, could be exploited to exfiltrate data, gain unauthorized access to systems, and perform other malicious activities.

“This Microsoft Outlook vulnerability can be circulated from user to user and doesn’t require a click to execute,” Morphisec adds.

According to the cybersecurity firm, creating an exploit for this zero-click vulnerability is straightforward, which makes it susceptible for mass exploitation for initial access.

Advertisement. Scroll to continue reading.

“Once an attacker successfully exploits this vulnerability, they can execute arbitrary code with the same privileges as the user, potentially leading to a full system compromise,” Morphisec says.

The company plans on releasing technical details and a proof-of-concept (PoC) exploit at the DEF CON conference this summer.

Users are advised to update their Outlook clients as soon as possible. Threat actors are known to have used zero-click Outlook exploits in attacks before.

On Tuesday, Microsoft released patches for over a dozen remote code execution vulnerabilities in its products, including a critical-severity flaw in Microsoft Message Queuing (MSMQ).

Related: New NTLM Hash Leak Attacks Target Outlook, Windows Programs

Related: Outlook Plays Attacker Tunes: Vulnerability Chain Leading to Zero-Click RCE

Related: Microsoft Makes Second Attempt to Patch Recent Outlook Zero-Day

Related: Microsoft Expands List of Blocked File Types in Outlook on the Web

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights