Microsoft Releases Second Outlook Zero-Day Patch Attempt

Microsoft has addressed a severe vulnerability, CVE-2023-29324, that allowed attackers to bypass mitigations rolled out for a no-interaction Outlook zero-day, leading to credential theft. The issue was addressed as part of the May 2023 Patch Tuesday updates, which resolved the bypass of fixes released in March 2023 to resolve CVE-2023-23397. The previous critical Outlook flaw was exploited by Russian APTs for a year before it was resolved. CVE-2023-23397 could allow an unauthorized user to send an email reminder through Outlook with a specified sound notification path, which would make the client retrieve the sound from a remote SMB server and send the Net-NTLMv2 hash in the negotiation message, which could be exploited for credentials theft.

The vulnerability was discovered by Ben Barnea, a security researcher at Akamai. He explains that the victim could trigger the vulnerability with no user interaction. An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server. This results in NTLM credentials theft. To resolve the issue, Microsoft added a call to the MapUrlToZone Windows API function to check that the path is not referring to an internet URL and replace the sound with a default reminder if it does.

While analyzing the patch for CVE-2023-23397, Barnea discovered that MapUrlToZone could be tricked into thinking that a remote path is a local one, by sending a crafted URL in the reminder message. This would bypass Microsoft’s mitigations and cause the Outlook client to connect to the remote server. The vulnerable MSHTML platform, which contains the security flaw, continues to be used in Windows by the Internet Explorer mode in Microsoft Edge and by other applications through the WebBrowser control. To fully resolve the issue, the tech giant recommends installing patches for both CVE-2023-23397 and CVE-2023-29324. Users who install Security-Only updates should install the IE Cumulative updates to mitigate the bug.

Overall, the incident highlights the importance of regular software patching, vulnerability management, and threat intelligence sharing. In the first five months of 2023, Microsoft has addressed more than 450 issues, and it is likely that there are still many undiscovered vulnerabilities that can lead to critical data breaches. Organizations need to prioritize patch management, software updates, and security intelligence to protect their assets and keep current with the latest cybersecurity risks. As a New York Times recommendation, organizations should also implement appropriate security controls such as user authentication, data encryption, and access control to minimize the risks of a zero-day attack.

Zero-Day Patch–microsoft,outlook,zero-day,patch