Technical particulars have emerged about two now-patched security flaws in Microsoft Home windows that might be chained by menace actors to attain distant code execution on the Outlook e mail service sans any consumer interplay.
“An attacker on the web can chain the vulnerabilities collectively to create a full, zero-click distant code execution (RCE) exploit towards Outlook shoppers,” Akamai security researcher Ben Barnea, who found the vulnerabilities, stated in a two-part report shared with The Hacker Information.
The security points, which have been addressed by Microsoft in August and October 2023, respectively, are listed beneath –
- CVE-2023-35384 (CVSS rating: 5.4) – Home windows HTML Platforms Safety Function Bypass Vulnerability
- CVE-2023-36710 (CVSS rating: 7.8) – Home windows Media Basis Core Distant Code Execution Vulnerability
CVE-2023-35384 has been described by Akamai as a bypass for a vital security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS rating: 9.8), the flaw pertains to a case of privilege escalation that might end result within the theft of NTLM credentials and allow an attacker to conduct a relay assault.
Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed {that a} Russian menace actor often called APT29 has been actively weaponizing the bug to achieve unauthorized entry to victims’ accounts inside Trade servers.
It is value noting that CVE-2023-35384 can be the second patch bypass after CVE-2023-29324, which was additionally found by Barnea and subsequently remediated by Redmond as a part of Could 2023 security updates.
“We discovered one other bypass to the unique Outlook vulnerability — a bypass that after once more allowed us to coerce the shopper to hook up with an attacker-controlled server and obtain a malicious sound file,” Barnea stated.
CVE-2023-35384, like CVE-2023-29324, is rooted within the parsing of a path by the MapUrlToZone operate that might be exploited by sending an e mail containing a malicious file or a URL to an Outlook shopper.
“A security function bypass vulnerability exists when the MSHTML platform fails to validate the right Safety Zone of requests for particular URLs. This might permit an attacker to trigger a consumer to entry a URL in a much less restricted Web Safety Zone than meant,” Microsoft famous in its advisory.
In doing so, the vulnerability can’t solely be used to leak NTLM credentials, however can be chained with the sound parsing flaw (CVE-2023-36710) to obtain a customized sound file that, when autoplayed utilizing Outlook’s reminder sound function, can result in a zero-click code execution on the sufferer machine.
CVE-2023-36710 impacts the Audio Compression Supervisor (ACM) element, a legacy Home windows multimedia framework that is used to handle audio codecs, and is the results of an integer overflow vulnerability that happens when taking part in a WAV file.
“Lastly, we managed to set off the vulnerability utilizing the IMA ADP codec,” Barnea defined. “The file dimension is roughly 1.8 GB. By performing the maths restrict operation on the calculation we are able to conclude that the smallest attainable file dimension with IMA ADP codec is 1 GB.”
To mitigate the dangers, it is advisable that organizations use microsegmentation to dam outgoing SMB connections to distant public IP addresses. Moreover, it additionally suggested to both disable NTLM, or add customers to the Protected Customers security group, which prevents using NTLM as an authentication mechanism.
