Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by danger actors to reach remote code execution on the Outlook email provider sans any person interaction.
“An attacker on the internet can chain the vulnerabilities collectively to create a full, zero-click remote code execution (RCE) exploit towards Outlook customers,” Akamai security researcher Ben Barnea, who found out the vulnerabilities, stated in a two-component report shared with The Hacker News.
The security issues, which ended up tackled by Microsoft in August and Oct 2023, respectively, are shown under –
- CVE-2023-35384 (CVSS score: 5.4) – Windows HTML Platforms Security Element Bypass Vulnerability
- CVE-2023-36710 (CVSS score: 7.8) – Windows Media Basis Core Remote Code Execution Vulnerability
CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS score: 9.8), the flaw relates to a scenario of privilege escalation that could final result in the theft of NTLM qualifications and allow an attacker to conduct a relay attack.
Before this month, Microsoft, Proofpoint, and Palo Alto Networks Device 42 disclosed that a Russian menace actor recognised as APT29 has been actively weaponizing the bug to get unauthorized entry to victims’ accounts inside of Exchange servers.
It is worth noting that CVE-2023-35384 is also the second patch bypass immediately after CVE-2023-29324, which was also found by Barnea and subsequently remediated by Redmond as part of May perhaps 2023 security updates.
“We discovered a further bypass to the unique Outlook vulnerability — a bypass that as soon as again permitted us to coerce the consumer to join to an attacker-managed server and down load a malicious audio file,” Barnea said.
CVE-2023-35384, like CVE-2023-29324, is rooted in the parsing of a route by the MapUrlToZone perform that could be exploited by sending an email that contains a malicious file or a URL to an Outlook client.
“A security feature bypass vulnerability exists when the MSHTML platform fails to validate the appropriate Security Zone of requests for precise URLs. This could enable an attacker to lead to a person to entry a URL in a much less restricted Internet Security Zone than supposed,” Microsoft observed in its advisory.
In accomplishing so, the vulnerability can not only be utilised to leak NTLM credentials, but can also be chained with the sound parsing flaw (CVE-2023-36710) to down load a tailor made seem file that, when autoplayed using Outlook’s reminder audio function, can direct to a zero-click code execution on the victim device.
CVE-2023-36710 impacts the Audio Compression Manager (ACM) part, a legacy Windows multimedia framework which is utilised to deal with audio codecs, and is the outcome of an integer overflow vulnerability that occurs when taking part in a WAV file.
“Finally, we managed to result in the vulnerability using the IMA ADP codec,” Barnea spelled out. “The file sizing is close to 1.8 GB. By executing the math restrict operation on the calculation we can conclude that the smallest doable file dimensions with IMA ADP codec is 1 GB.”
To mitigate the risks, it is really suggested that businesses use microsegmentation to block outgoing SMB connections to remote public IP addresses. On top of that, it also suggested to possibly disable NTLM, or increase buyers to the Shielded Buyers security group, which helps prevent the use of NTLM as an authentication mechanism.
Found this posting attention-grabbing? Follow us on Twitter and LinkedIn to study more special written content we submit.
Some sections of this report are sourced from: