Name it a patch for a damaged patch.
Microsoft’s Might 2023 safety replace features a patch for a vulnerability that enables attackers to simply bypass a repair the corporate issued in March for a important privilege-escalation bug in Outlook that attackers have already exploited.
That bug, tracked as CVE-2023-23397, permits attackers a strategy to steal a consumer’s password hash by coercing the sufferer’s Microsoft Outlook consumer to hook up with an attacker-controlled server. Microsoft, on the time, addressed the difficulty with a patch that primarily prevented the Outlook consumer from making such connections.
However a researcher from Akamai analyzing the repair discovered one other problem in a associated Web Explorer element that allowed him to bypass the patch altogether — by including only a single character to it.
Microsoft assigned a separate identifier for the brand new bug (CVE-2023-29324) and issued a patch for it on this month’s Patch Tuesday batch.
In its vulnerability launch notes, Microsoft described the CVE-2023-29324 as a bug that enables attackers to craft a malicious URL that might evade the zone checks the corporate had carried out within the patch for the March flaw.
This might lead to “a restricted lack of integrity and availability of the sufferer machine,” Microsoft mentioned. The corporate assessed the bug to be of reasonable severity despite the fact that it additionally described it as one which attackers usually tend to exploit.
Microsoft is advising organizations to implement each the March patch for CVE-2023-23397 and the Might patch for CVE-2023-29324 to be absolutely protected.
Harmful Outlook Vulnerability
CVE-2023-29324 is a remotely exploitable, zero-click vulnerability that renders the patch for the unique Outlook vulnerability ineffective, researchers at Akamai say.
“The vulnerability is well triggered, as [it] would not require any particular experience,” says Ben Barnea, the researcher at Akamai who found the brand new bug. “Actually, there are a lot of PoCs out there on the Web for the unique Outlook vulnerability, and they are often simply tailored to make use of the brand new bypass.”
The unique Outlook flaw, CVE-2023-23397, is a bug that principally permits an unauthenticated attacker to steal a consumer’s NTLM credentials — or password hash — and use them to authenticate to different companies. Attackers can exploit the flaw by sending the sufferer a specifically crafted e mail that triggers routinely when the Outlook consumer retrieves and processes the e-mail — and earlier than the consumer has even seen it within the Preview Pane.
Attackers can use the vulnerability to power a connection from the sufferer’s Outlook consumer to an attacker-controlled server so they might steal the victims NTLM hash. The bug impacts all supported Home windows variations.
Abusing Outlook’s Customized Notification Sound
Barnea’s evaluation of the bug confirmed it stemmed from the style through which Outlook handles emails containing a reminder with a customized notification sound.
The bug permits an attacker to specify what is called a UNC path that will trigger the Outlook consumer to retrieve the sound file from any SMB server together with an attacker controller one. A Common Naming Conference (UNC) naming path principally supplies an ordinary strategy to find and entry shared sources on a community reminiscent of recordsdata, folders, and printers.
Microsoft addressed the difficulty by making certain the related Outlook code calls a Home windows API operate (referred to as MapUrlToZone) that verifies the safety zone of a given URL. Safety zones in Home windows can embody native machine zone, intranet zone, and trusted zones. The patch ensures that if the trail to the sound file pointed to an Web URL, the default reminder sound from a neighborhood safety zone is used as an alternative of the customized audio sound, Akamai mentioned.
Barnea discovered that by including a single ” to the UNC path, an attacker may create a URL that MapUrlToZone would assess as belonging within the native safety zone, whereas additionally permitting the customized audio file to be downloaded from an exterior SMB server.
“MapUrlToZone is problematic right here. It is used as a safety measure, however the operate itself contained a bug,” Barnea says.
The patch for the unique Outlook vulnerability (CVE-2023-23397) used a operate that is speculated to parse a path and return whether or not it is native or distant.
“This addition was meant to forestall an outgoing connection from Outlook to distant servers to fetch a notification sound file,” Barnea says. “We discovered a selected path for which the operate incorrectly returns a flawed verdict — ‘native’ as an alternative of ‘distant.’ This enables us to ‘idiot’ the operate and use this path to use the unique Outlook vulnerability.”
“Take away” It
Barnea says the unique Outlook vulnerability and the next bypass flaw that Akamai found are the one two situations the corporate is aware of of that focused the customized reminder sound function in Outlook. Nevertheless, for attackers the function presents an fascinating floor for distant, unauthenticated assaults, he says. “We consider it needs to be eliminated altogether.”
Microsoft didn’t reply instantly to a Darkish Studying request for touch upon Akamai’s claims concerning the severity of the bug and the risk it presents.