The discovery of new vulnerabilities is a constant reminder of the importance of vigilant software maintenance and user awareness. Recently, a significant development has emerged concerning the Microsoft Outlook email service, highlighting two critical security flaws that were exploited without any user interaction, known as zero-click exploits. This educational content delves into the technical intricacies of these vulnerabilities, their implications, and recommended mitigation strategies.
What are Zero-Click Outlook RCE Exploits?
Zero-click exploits are a form of cyberattack that does not require any action from the victim to execute malicious code. In the case of Microsoft Outlook, researchers uncovered two now-patched vulnerabilities that could be combined to achieve remote code execution (RCE) on a victim’s device without needing the user to click a link, open a file, or take any other action typically associated with phishing or malware attacks.
The Technical Details
The vulnerabilities in question were identified and reported by Akamai security researcher Ben Barnea. They are listed as follows:
CVE-2023-35384: A security feature bypass vulnerability in Windows HTML Platforms with a CVSS score of 5.4. It allows attackers to circumvent a security measure patched by Microsoft in March 2023, enabling them to coerce the Outlook client into connecting to an attacker-controlled server to download a malicious file.
CVE-2023-36710: A remote code execution vulnerability in the Windows Media Foundation Core, with a CVSS score of 7.8. This vulnerability is due to an integer overflow when playing a WAV file, which can be exploited to execute arbitrary code.
CVE-2023-35384 was discovered as a bypass to an earlier patch for a critical vulnerability (CVE-2023-23397) related to NTLM credential theft and relay attacks. This discovery underscores the iterative nature of cybersecurity, where new vulnerabilities can emerge as attackers find ways around existing defenses.
The Exploitation Chain
The attack begins with the exploitation of CVE-2023-35384, where an attacker sends an email containing a malicious URL or file to an Outlook client. This exploit bypasses security features by manipulating the way the MapUrlToZone function parses a path, tricking the client into treating the malicious URL as trustworthy.
This vulnerability can leak NTLM credentials and, when chained with CVE-2023-36710, allows the attacker to download and auto-play a custom sound file using Outlook’s reminder sound feature. This action triggers the remote code execution vulnerability in the Audio Compression Manager (ACM) component due to an integer overflow, leading to zero-click code execution on the victim’s machine.
Mitigation Strategies
To protect against such sophisticated attacks, organizations and individuals must adopt comprehensive security measures. Microsoft has patched these vulnerabilities, emphasizing the importance of regular software updates. Additionally, experts recommend the following strategies:
– Microsegmentation: Block outgoing SMB connections to remote public IP addresses to prevent attackers from exploiting these vulnerabilities to exfiltrate data or execute remote code.
-NTLM Adjustments: Consider disabling NTLM authentication or adding users to the Protected Users security group, which blocks the use of NTLM, adding an extra layer of security against such attacks.
The discovery of zero-click RCE exploits in Outlook serves as a critical reminder of the advanced capabilities of threat actors and the need for constant vigilance in cybersecurity practices. By understanding the nature of these vulnerabilities and implementing robust mitigation strategies, individuals and organizations can significantly reduce their risk of falling victim to such sophisticated attacks. Regular software updates, combined with strategic security measures, are essential in the ongoing battle against cyber threats.
and then