Technical details have emerged about two now-patched security vulnerabilities in Microsoft Windows that could be exploited by threat actors to achieve remote code execution on the Outlook email service without any user interaction.
Ben Barnea, the Akamai security researcher who discovered the vulnerabilities, said in a two-part report: “An online attacker could chain these vulnerabilities together to establish complete, zero-click remote code execution against the Outlook client. (RCE) attack.” and Hacker News.
The security issues Microsoft addressed in August 2023 and October 2023 are as follows:
- CVE-2023-35384 (CVSS Rating: 5.4) – Windows HTML Platform Security Feature Bypass Vulnerability
- CVE-2023-36710 (CVSS score: 7.8) – Windows Media Foundation Core Remote Code Execution Vulnerability
Akamai describes CVE-2023-35384 as a bypass for a critical security vulnerability patched by Microsoft in March 2023. The vulnerability, tracked as CVE-2023-23397 (CVSS score: 9.8), is related to a privilege escalation case that could lead to theft of NTLM credentials and enable an attacker to conduct a relay attack.
Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed that a Russian threat actor known as APT28 (aka Forest Blizzard) has been actively exploiting the vulnerability to gain access to victim accounts within Exchange servers. Unauthorized access.
Notably, CVE-2023-35384 is also the second patch bypass following CVE-2023-29324, which was also discovered by Barnea and subsequently fixed by Redmond as part of the May 2023 security update.
“We discovered another bypass for the original Outlook vulnerability, which again allowed us to force the client to connect to an attacker-controlled server and download a malicious sound file,” Barnea said.
CVE-2023-35384, like CVE-2023-29324, is rooted in the path parsing of the MapUrlToZone function, which can be exploited by sending an email containing a malicious file or URL to an Outlook client.
“A security feature bypass vulnerability exists when the MSHTML platform fails to verify the correct security zone for a specific URL request. This could allow an attacker to cause a user to access a URL in a less restrictive Internet security zone than intended,” Microsoft noted. It is under consultation.
In doing so, the vulnerability can not only be used to exfiltrate NTLM credentials, but can also be linked to a sound parsing flaw (CVE-2023-36710) to download a custom sound file, which can cause the file to be automatically played when using Outlook’s reminder sound feature. Zero-click code is executed on the victim computer.
CVE-2023-36710 affects the Audio Compression Manager (ACM) component, an older version of the Windows Multimedia Framework used to manage audio codecs, as a result of an integer overflow vulnerability when playing WAV files.
“In the end, we managed to trigger the vulnerability using the IMA ADP codec,” Barnea explained. “The file size is approximately 1.8 GB. By applying mathematical constraints to the calculation, we can conclude that the minimum possible file size for the IMA ADP codec is 1 GB.”
To reduce risk, it is recommended that organizations use micro-segmentation to block outgoing SMB connections to remote public IP addresses. Additionally, it recommends disabling NTLM or adding users to the protected user security group, which prevents the use of NTLM as an authentication mechanism.
