Microsoft Fixes Failed Patch for Exploited Outlook Vulnerability


Name it a patch for a damaged patch.

Microsoft’s Could 2023 safety replace features a patch for a vulnerability that permits attackers to simply bypass a repair the corporate issued in March for a important privilege-escalation bug in Outlook that attackers have already exploited.

That bug, tracked as CVE-2023-23397, permits attackers a strategy to steal a person’s password hash by coercing the sufferer’s Microsoft Outlook shopper to hook up with an attacker-controlled server. Microsoft, on the time, addressed the problem with a patch that primarily prevented the Outlook shopper from making such connections.

However a researcher from Akamai analyzing the repair discovered one other situation in a associated Web Explorer element that allowed him to bypass the patch altogether — by including only a single character to it.

Microsoft assigned a separate identifier for the brand new bug (CVE-2023-29324) and issued a patch for it on this month’s Patch Tuesday batch.

In its vulnerability launch notes, Microsoft described the CVE-2023-29324 as a bug that permits attackers to craft a malicious URL that might evade the zone checks the corporate had carried out within the patch for the March flaw.

This might lead to “a restricted lack of integrity and availability of the sufferer machine,” Microsoft stated. The corporate assessed the bug to be of reasonable severity despite the fact that it additionally described it as one which attackers usually tend to exploit.

Microsoft is advising organizations to implement each the March patch for CVE-2023-23397 and the Could patch for CVE-2023-29324 to be totally protected.

Harmful Outlook Vulnerability

CVE-2023-29324 is a remotely exploitable, zero-click vulnerability that renders the patch for the unique Outlook vulnerability ineffective, researchers at Akamai say.

“The vulnerability is definitely triggered, as [it] would not require any particular experience,” says Ben Barnea, the researcher at Akamai who found the brand new bug. “In actual fact, there are various PoCs out there on the Web for the unique Outlook vulnerability, and they are often simply tailored to make use of the brand new bypass.”

The unique Outlook flaw, CVE-2023-23397, is a bug that mainly permits an unauthenticated attacker to steal a person’s NTLM credentials — or password hash — and use them to authenticate to different providers. Attackers can exploit the flaw by sending the sufferer a specifically crafted e-mail that triggers routinely when the Outlook shopper retrieves and processes the e-mail — and earlier than the person has even seen it within the Preview Pane.

Attackers can use the vulnerability to pressure a connection from the sufferer’s Outlook shopper to an attacker-controlled server so they might steal the victims NTLM hash. The bug impacts all supported Home windows variations.

Abusing Outlook’s Customized Notification Sound

Barnea’s evaluation of the bug confirmed it stemmed from the style by which Outlook handles emails containing a reminder with a customized notification sound.

The bug permits an attacker to specify what is named a UNC path that will trigger the Outlook shopper to retrieve the sound file from any SMB server together with an attacker controller one. A Common Naming Conference (UNC) naming path mainly gives an ordinary strategy to find and entry shared assets on a community akin to recordsdata, folders, and printers.

Microsoft addressed the problem by guaranteeing the related Outlook code calls a Home windows API perform (known as MapUrlToZone) that verifies the safety zone of a given URL. Safety zones in Home windows can embody native machine zone, intranet zone, and trusted zones. The patch ensures that if the trail to the sound file pointed to an Web URL, the default reminder sound from a neighborhood safety zone is used as a substitute of the customized audio sound, Akamai stated.

Barnea discovered that by including a single ” to the UNC path, an attacker might create a URL that MapUrlToZone would assess as belonging within the native safety zone, whereas additionally permitting the customized audio file to be downloaded from an exterior SMB server.

“MapUrlToZone is problematic right here. It is used as a safety measure, however the perform itself contained a bug,” Barnea says.

The patch for the unique Outlook vulnerability (CVE-2023-23397) used a perform that is alleged to parse a path and return whether or not it is native or distant.

“This addition was meant to stop an outgoing connection from Outlook to distant servers to fetch a notification sound file,” Barnea says. “We discovered a selected path for which the perform incorrectly returns a improper verdict — ‘native’ as a substitute of ‘distant.’ This permits us to ‘idiot’ the perform and use this path to take advantage of the unique Outlook vulnerability.”

“Take away” It

Barnea says the unique Outlook vulnerability and the following bypass flaw that Akamai found are the one two situations the corporate is aware of of that focused the customized reminder sound function in Outlook. Nevertheless, for attackers the function presents an attention-grabbing floor for distant, unauthenticated assaults, he says. “We consider it needs to be eliminated altogether.”

Microsoft didn’t reply instantly to a Darkish Studying request for touch upon Akamai’s claims concerning the severity of the bug and the menace it presents.