Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File

Original Source: Dark Reading

Researchers this week disclosed details on two security vulnerabilities in Microsoft Outlook that, when chained together, give attackers a way to execute arbitrary code on affected systems without any user interaction. Unusually, both of them can be triggered using a sound file.

One of the flaws, tracked as CVE-2023-35384, is actually the second patch bypass that researchers at Akamai have uncovered for a critical privilege escalation vulnerability in Outlook that Microsoft first patched in March. The second flaw that Akamai disclosed this week (CVE-2023-36710) is a remote code execution (RCE) vulnerability in a feature of Windows Media Foundation, and it has to do with how Windows parses sound files.

"An attacker on the Internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai said in a two-part blog post this week.

Arbitrary Code Execution

Microsoft issued a patch for CVE-2023-35384 in August, after Akamai researchers contacted the company. The flaw stems from a security feature in Outlook not properly validating if a requested URL is in a local machine zone, intranet zone, or another trusted zone.

Attackers can trigger the vulnerability by sending an affected Outlook client an email reminder with a custom notification sound, according to Akamai. "An attacker can specify a UNC path that would cause the client to retrieve the sound file from any SMB server" on the Internet, instead of from a safe or trusted zone, the vendor added.

To trigger the second vulnerability, an attacker would use the first vulnerability to send a specially crafted email that downloads a malicious sound file from an attacker-controlled server.

"When the downloaded sound file is autoplayed … it can lead to code execution on the victim machine," Akamai said.

According to Ben Barnea, security researcher at Akamai, an attacker can exploit both vulnerabilities individually or in a chained fashion. "While each one of them is a somewhat 'weak' vulnerability, by chaining them together against Outlook we achieved a powerful zero-click RCE vulnerability," he says.

Patch, Then Patch Again

As noted, this is the second time that Akamai researchers have found a way around a March patch that Microsoft issued for the Outlook privilege-escalation flaw tracked as CVE-2023-23397. That original bug gives attackers a way to use a sound file to steal a user's password hash and authenticate to services to which the user has access. As recently as Dec. 4, Microsoft warned of Russia's Fancy Bear group (aka Forest Blizzard) actively exploiting the flaw to gain unauthorized access to email accounts in Exchange server.

Microsoft's original patch sought to ensure that before Outlook handles emails containing custom notification reminders, it first verifies the safety of the URL for the sound file. The patch was designed to ensure that if the URL for the custom notification sound was brought in from an untrusted/unverified domain, Outlook's default notification sound is used instead.

But then, Akamai researchers probing the patch discovered they could bypass it by adding a single character to a function in the Microsoft update. The discovery prompted Microsoft to assign the issue a separate CVE (CVE-2023-29324) and issue a patch for it in May.

The new bypass that Akamai is detailing this week also arises from an issue in the original patch — and it might not be the last problem found in the patch, either.

"The patch for the original vulnerability used a function called 'MapUrlToZone' to mitigate the abuse of the custom reminder sound feature," explains Barnea, noting that the function is a complex one and increases the attack surface available to the attacker.

"As a result, the patch added more code that also had vulnerabilities in it," he says. "We suggested to remove the abused feature instead of using patches, since the feature does more harm than good."

Source URL: https://www.darkreading.com/vulnerabilities-threats/researchers-release-details-on-two-patched-outlook-zero-click-flaws

Author: Jai Vijayan, Contributing Writer

Leave a Comment