Microsoft Fixes Failed Patch for Exploited Outlook Vulnerability

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Fixes Failed Patch for Exploited Outlook Vulnerability


Adding a single character to a function in the previous Outlook patch rendered that fix useless, researchers say.



Call it a patch for a broken patch.
Microsofts May 2023 security update
includes a patch for a vulnerability that allows attackers to easily bypass a fix the company issued in March for a critical privilege-escalation bug in Outlook that attackers have already exploited.
That bug, tracked as
CVE-2023-23397
, allows attackers a way to steal a users password hash by coercing the victims Microsoft Outlook client to connect to an attacker-controlled server. Microsoft, at the time, addressed the issue with a patch that essentially prevented the Outlook client from making such connections.
But a researcher from Akamai examining the fix found another issue in a related Internet Explorer component that allowed him to bypass the patch altogether — by adding just a single character to it.
Microsoft assigned a separate identifier for the new bug (
CVE-2023-29324
) and issued a patch for it in this months Patch Tuesday batch.
In its vulnerability release notes, Microsoft described the CVE-2023-29324 as a bug that allows attackers to craft a malicious URL that could evade the zone checks the company had implemented in the patch for the March flaw.
This could result in a limited loss of integrity and availability of the victim machine, Microsoft said. The company assessed the bug to be of moderate severity even though it also described it as one that attackers are more likely to exploit.
Microsoft is advising organizations to implement both the March patch for CVE-2023-23397 and the May patch for CVE-2023-29324 to be fully protected.
CVE-2023-29324 is a remotely exploitable, zero-click vulnerability that renders the patch for the original Outlook vulnerability useless, researchers at Akamai say.
The vulnerability is easily triggered, as [it] doesnt require any special expertise, says Ben Barnea, the researcher at Akamai who discovered the new bug. In fact, there are many PoCs available on the Internet for the original Outlook vulnerability, and they can be easily adapted to use the new bypass.
The original Outlook flaw, CVE-2023-23397, is a bug that basically allows an unauthenticated attacker to steal a users NTLM credentials — or password hash — and use them to authenticate to other services. Attackers can exploit the flaw by sending the victim a specially crafted email that triggers automatically when the Outlook client retrieves and processes the email — and before the user has even viewed it in the Preview Pane.
Attackers can use the vulnerability to force a connection from the victims Outlook client to an attacker-controlled server so they could steal the victims NTLM hash. The bug affects all supported Windows versions.
Barneas analysis of the bug showed it stemmed from the manner in which Outlook handles emails containing a reminder with a custom notification sound.
The bug allows an attacker to specify what is known as a UNC path that would cause the Outlook client to retrieve the sound file from any SMB server including an attacker controller one. A
Universal Naming Convention (UNC) naming path
basically provides a standard way to locate and access shared resources on a network such as files, folders, and printers.
Microsoft addressed the issue by ensuring the relevant Outlook code calls a Windows API function (called MapUrlToZone) that verifies the security zone of a given URL. Security zones in Windows can include local machine zone, intranet zone, and trusted zones. The patch ensures that if the path to the sound file pointed to an Internet URL, the default reminder sound from a local security zone is used instead of the custom audio sound, Akamai said.
Barnea found that by adding a single to the UNC path, an attacker could create a URL that MapUrlToZone would assess as belonging in the local security zone, while also allowing the custom audio file to be downloaded from an external SMB server.
MapUrlToZone is problematic here. Its used as a security measure, but the function itself contained a bug, Barnea says.
The patch for the original Outlook vulnerability (CVE-2023-23397) used a function thats supposed to parse a path and return whether its local or remote.
This addition was meant to prevent an outgoing connection from Outlook to remote servers to fetch a notification sound file, Barnea says. We found a specific path for which the function incorrectly returns a wrong verdict — local instead of remote. This allows us to fool the function and use this path to exploit the original Outlook vulnerability.
Barnea says the original Outlook vulnerability and the subsequent bypass flaw that Akamai discovered are the only two instances the company knows of that targeted the custom reminder sound feature in Outlook. However, for attackers the feature presents an interesting surface for remote, unauthenticated attacks, he says. We believe it should be removed altogether.
Microsoft did not respond immediately to a Dark Reading request for comment on Akamais claims about the severity of the bug and the threat it presents.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Fixes Failed Patch for Exploited Outlook Vulnerability