Microsoft fastened a safety vulnerability this week that could possibly be utilized by distant attackers to bypass latest patches for a essential Outlook zero-day safety flaw abused within the wild.
This zero-click bypass (CVE-2023-29324) impacts all supported variations of Home windows and was reported by Akamai safety researcher Ben Barnea.
“All Home windows variations are affected by the vulnerability. Consequently, all Outlook consumer variations on Home windows are exploitable,” Barnea defined.
The Outlook zero-day bug patched in March (CVE-2023-23397) is a privilege escalation flaw within the Outlook consumer for Home windows that allows attackers to steal NTLM hashes with out person interplay in NTLM-relay assaults.
Risk actors can exploit it by sending messages with prolonged MAPI properties containing UNC paths to customized notification sounds, inflicting the Outlook consumer to connect with SMB shares beneath their management.
Microsoft addressed the difficulty by together with a MapUrlToZone name to make sure the UNC paths do not hyperlink to web URLs and changing the sounds with default reminders in the event that they did.
Bypass for Outlook zero-click privilege escalation
Whereas analyzing the CVE-2023-23397 mitigation, Barnea found that the URL in reminder messages could possibly be modified to trick the MapUrlToZone checks into accepting distant paths as native paths.
This circumvents Microsoft’s patch and causes the Home windows Outlook consumer to connect with the attacker’s server.
“This concern appears to be a results of the complicated dealing with of paths in Home windows,” explains Barnea.
In mild of Barnea’s findings, Microsoft warns that “Clients should set up the updates for CVE-2023-23397 and CVE-2023-29324 to be totally protected.”
Whereas Web Explorer has been retired, the weak MSHTML platform remains to be being utilized by some apps by means of WebBrowser management, in addition to by Web Explorer mode in Microsoft Edge.
Due to this, Redmond urges clients to put in each this month’s safety updates and the IE Cumulative updates launched to handle the CVE-2023-29324 vulnerability to remain totally protected.
.png)
Exploited by Russian state hackers for information theft
As Microsoft revealed in a non-public menace analytics report, it was exploited by Russian APT28 state hackers (aka STRONTIUM, Sednit, Sofacy, or Fancy Bear) in assaults towards at the very least 14 authorities, navy, vitality, and transportation organizations between mid-April and December 2022.
APT28 has been linked to Russia’s navy intelligence service, the Foremost Directorate of the Common Workers of the Armed Forces of the Russian Federation (GRU).
The menace actors used malicious Outlook notes and duties to steal NTLM hashes by forcing their targets’ units to authenticate to attacker-controlled SMB shares.
These stolen credentials had been used for lateral motion throughout the victims’ networks and to alter Outlook mailbox permissions to exfiltrate emails for particular accounts.
Microsoft launched a script to assist Trade admins verify if their servers had been breached but additionally suggested them to search for different indicators of exploitation if the menace actors cleaned up their traces.
