Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Outlook Plays Attacker Tunes: Vulnerability Chain Leading to Zero-Click RCE

Akamai researchers document more vulnerabilities and patch bypasses leading to zero-click remote code execution in Microsoft Outlook.

Russia hackers hit Microsoft

Security researchers at Akamai are sharing details on multiple bypasses for patches Microsoft released for an Outlook zero-click remote code execution vulnerability earlier this year.

The original issue, tracked as CVE-2023-23397, was patched by Microsoft in March 2023 after a Russian state-sponsored threat actor had been exploiting it in the wild for roughly a year.

An unauthenticated attacker could exploit the issue by sending an email reminder containing a sound notification specified as a path, coercing the Outlook client into connecting to the attacker’s server, which resulted in the Net-NTLMv2 hash being sent to the server.

No user interaction was required for exploitation, as the bug was triggered immediately when the email was received and processed by the server. Microsoft resolved it with a call to an API function that would check the path to ensure it was not referring to an internet URL.

The called function, however, could be tricked into treating a remote path is a local one, by including a crafted URL in the email. Discovered by Akamai and tracked as CVE-2023-29324, the bypass was fixed by Microsoft in May.

The CVE-2023-29324 flaw, however, is only one of the bypasses that Akamai identified while researching the Outlook zero-click vulnerability.

The second one, tracked as CVE-2023-35384 and addressed by Microsoft with the August 2023 patches, is a path type confusion that can be exploited via crafted URLs, but which does require user interaction.

“An attacker can craft a malicious file or send a malicious URL that would evade Security Zone tagging, resulting in a limited loss of integrity and availability of security features utilized by browsers and some custom applications,” Microsoft said in its advisory.

Advertisement. Scroll to continue reading.

In October, the tech giant patched another vulnerability related to this Outlook attack vector, this time one rooted in the parsing of sound files on Windows.

Tracked as CVE-2023-36710, the issue is an integer overflow bug in Audio Compression Manager (ACM), the code that handles cases where the codec in a WAV file needs to be decoded by a custom decoder. The codecs are handled by drivers similar in function to kernel-mode drivers, but which are registered through the ACM.

The security defect was identified in the mapWavePrepareHeader function in the ACM manager, Akamai notes in a technical write up.

Because the function performs no check of overflows when adding bytes to the destination buffer’s size, an attacker can trigger the allocation of a very small buffer, causing two out-of-bounds writes.

“We managed to trigger the vulnerability using the IMA ADP codec. The file size is approximately 1.8 GB. By performing the math limit operation on the calculation we can conclude that the smallest possible file size with IMA ADP codec is 1 GB,” according to Akamai’s documentation.

According to Akamai, an attacker could successfully exploit this vulnerability in the context of the Outlook client or another instant messaging application to achieve remote code execution without user interaction.

“As of now, the attack surface in Outlook that we researched still exists, and new vulnerabilities can be found and exploited. Although Microsoft patched Exchange to drop mails containing the PidLidReminderFileParameter property, we can not rule out the possibility of bypassing this mitigation,” Akamai concludes.

Related: Russian APT Used Zero-Click Outlook Exploit

Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Related: Microsoft Patches MotW Zero-Day Exploited for Malware Delivery

Related: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.