Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File

Attackers can chain the vulnerabilities to gain full remote code execution.

Researchers this week disclosed details on two security vulnerabilities in Microsoft Outlook that, when chained together, give attackers a way to execute arbitrary code on affected systems without any user interaction. Unusually, both of them can be triggered using a sound file.
One of the flaws, tracked as
CVE-2023-35384
, is actually the
second patch bypass that researchers at Akamai have uncovered
for a
critical privilege escalation vulnerability in Outlook
that Microsoft first patched in March. The second flaw that
Akamai disclosed this week
(
CVE-2023-36710
) is a remote code execution (RCE) vulnerability in a feature of Windows Media Foundation, and it has to do with how Windows parses sound files.
An attacker on the Internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients, Akamai said in a
two-part blog post
this week.
Microsoft
issued a patch for CVE-2023-35384
in August, after Akamai researchers contacted the company. The flaw stems from a security feature in Outlook not properly validating if a requested URL is in a local machine zone, intranet zone, or another trusted zone.
Attackers can trigger the vulnerability by sending an affected Outlook client an email reminder with a custom notification sound, according to Akamai. An attacker can specify a UNC path that would cause the client to retrieve the sound file from any SMB server on the Internet, instead of from a safe or trusted zone, the vendor added.
To trigger the second vulnerability, an attacker would use the first vulnerability to send a specially crafted email that downloads a malicious sound file from an attacker-controlled server.
When the downloaded sound file is autoplayed … it can lead to code execution on the victim machine, Akamai said.
According to Ben Barnea, security researcher at Akamai, an attacker can exploit both vulnerabilities individually or in a chained fashion. While each one of them is a somewhat weak vulnerability, by chaining them together against Outlook we achieved a powerful zero-click RCE vulnerability, he says.
As noted, this is the second time that Akamai researchers have found a way around a March patch that Microsoft issued for the Outlook privilege-escalation flaw tracked as
CVE-2023-23397
. That original bug gives attackers a way to use a sound file to steal a users password hash and authenticate to services to which the user has access. As recently as Dec. 4, Microsoft
warned of Russias Fancy Bear
group (aka Forest Blizzard) actively exploiting the flaw to gain unauthorized access to email accounts in Exchange server.
Microsofts original patch sought to ensure that before Outlook handles emails containing custom notification reminders, it first verifies the safety of the URL for the sound file. The patch was designed to ensure that if the URL for the custom notification sound was brought in from an untrusted/unverified domain, Outlooks default notification sound is used instead.
But then, Akamai researchers probing the patch discovered they could bypass it by adding a single character to a function in the Microsoft update. The discovery prompted Microsoft to assign the issue a separate CVE (CVE-2023-29324) and issue a patch for it in May.
The new bypass that Akamai is detailing this week also arises from an issue in the original patch — and it might not be the last problem found in the patch, either.
The patch for the original vulnerability used a function called MapUrlToZone to mitigate the abuse of the custom reminder sound feature, explains Barnea, noting that the function is a complex one and increases the attack surface available to the attacker.
As a result, the patch added more code that also had vulnerabilities in it, he says. We suggested to remove the abused feature instead of using patches, since the feature does more harm than good.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File