Headline
How Outlook notification sounds can lead to zero-click exploits
A researcher found two Microsoft vulnerabilities which could be combined to achieve zero-click remote code execution.
An Akamai researcher has found two vulnerabilities in Windows that can be combined to achieve a full, zero-click remote code execution (RCE) in Outlook.
Both vulnerabilities were responsibly disclosed to Microsoft and addressed in the August 2023 and October 2023 patch Tuesdays, so the researcher felt it was no problem to disclose their findings.
The first vulnerability, listed as CVE-2023-35384, is a Windows HTML platforms security feature bypass vulnerability. It allows an attacker to craft a malicious file or send a malicious URL that would evade Security Zone tagging, resulting in a loss of integrity and availability of security features utilized by browsers and some custom applications (including Outlook).
This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended. Basically the exploit falsely tells the system that the file or URL is local so it has a higher trust factor. For more technical details and the methodology used to find the vulnerability we refer to the researchers post.
The second vulnerability, listed as CVE-2023-36710, is a Windows Media Foundation Core Remote Code Execution vulnerability where the word Remote refers to the location of the attacker. The attack itself is carried out locally.
As part of the process of playing a WAV (Waveform Audio File), the researcher found it was possible to cause two out-of-bounds writes for WAV files with a certain size. An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions.
To chain these vulnerabilities together, an attacker would have to send an affected Outlook client an email reminder with a custom notification sound. By using the first vulnerability the client would retrieve the sound file from any SMB server. The Server Message Block protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.
And when the specially crafted sound file is auto-played this can lead to code execution on the victim’s machine without interaction (zero-click).
Is this something to worry about?
Personally, I don’t think so. Although the research was very thorough and interesting, creating a suitable sound file is challenging. The researcher noted that the smallest possible file size with IMA ADP codec is 1 GB and that it might not be possible to achieve in some codecs, like MP3.
Also, patches for the vulnerabilities have been available for months. It does prove however that with some effort it is possible to find these type of vulnerabilities, and there are undoubtedly more out there.
To demonstrate that fact, it is good to know that CVE-2023-35384 is the second patch bypass for CVE-2023-23397, which was discovered by the same researcher and patched by Microsoft as part of its May 2023 security updates.
The researcher criticized Microsoft’s patching methods:
“As a result, the patch added more code that also had vulnerabilities in it. We suggested to remove the abused feature instead of using patches, since the feature does more harm than good.”
So, instead of rooting out the problem, Microsoft added more code and with that, made the attack surface larger. A problem we unfortunately encounter often.
If your organization has been unable to patch these vulnerabilities, you can mitigate the risks by using microsegmentation to block outgoing SMB connections to remote public IP addresses. Microsegmentation refers to an approach to security that involves dividing a network into segments and applying security controls to each segment based on the segment’s requirements.
Or use the ThreatDown DNS filtering module to block suspicious web domains and manage specific site restrictions.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
Related news
Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.
Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide. The attacks, attributed to an "aggressive" hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with
Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction. "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security
Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction. "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security
Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.
Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.
Windows Media Foundation Core Remote Code Execution Vulnerability
Windows HTML Platforms Security Feature Bypass Vulnerability
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "
Hello everyone! This episode will be about Microsoft Patch Tuesday for March 2023, including vulnerabilities that were added between February and March Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239119 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI […]
Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability. Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction. "External
Facebook users are notoriously the biggest offenders for sharing fake news and misinformation.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.
Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.
Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Microsoft Outlook Elevation of Privilege Vulnerability