Microsoft’s Urgent Fix: Bypassing Recent Patches for Critical Outlook Zero-Day Exploited in the Wild

by | May 12, 2023 | News

Premium Content

Patreon
Subscribe to Patreon to watch this episode.
Reading Time: 3 Minutes

Microsoft Addresses Critical Outlook Zero-Day Bypass Vulnerability

Microsoft swiftly responded to a security vulnerability this week, addressing a flaw that allowed remote attackers to bypass recent patches targeting a critical zero-day security issue in Outlook. This zero-click bypass, known as CVE-2023-29324, impacts all supported versions of Windows and was brought to light by Akamai security researcher Ben Barnea.

Barnea explained, “All Windows versions are affected by the vulnerability. As a result, all Outlook client versions on Windows are exploitable.”

The previously patched Outlook zero-day bug, identified as CVE-2023-23397, is a privilege escalation flaw in the Outlook client for Windows. This flaw enables attackers to illicitly obtain NTLM hashes without user interaction in NTLM-relay attacks. Exploiting the bug involves sending messages with extended MAPI properties containing UNC paths to customized notification sounds, leading the Outlook client to connect to SMB shares under the attackers’ control.

Microsoft tackled the issue by implementing a MapUrlToZone call to ensure that UNC paths do not link to internet URLs. Additionally, they replaced the sounds with default reminders if such links were detected.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Microsoft Warns of Critical Outlook Zero-Day Bypass Vulnerability Exploited by APT28 Hackers

During the analysis of the CVE-2023-23397 mitigation, Barnea discovered a way to change the URL in reminder messages, tricking the MapUrlToZone checks into accepting remote paths as local paths. This bypasses Microsoft’s patch, resulting in the Windows Outlook client connecting to the attacker’s server.

Barnea shed light on the matter, stating, “This issue seems to be a result of the complex handling of paths in Windows.”

In response to Barnea’s findings, Microsoft issued a warning, emphasizing the importance of installing updates for both CVE-2023-23397 and CVE-2023-29324 to ensure comprehensive protection.

While Internet Explorer has been retired, the vulnerable MSHTML platform is still utilized by certain applications through the WebBrowser control, as well as by the Internet Explorer mode in Microsoft Edge. Consequently, Microsoft urges customers to install the latest security updates and the IE Cumulative updates, specifically addressing the CVE-2023-29324 vulnerability, to remain fully protected.

The severity of this vulnerability became evident as Microsoft unveiled details from a private threat analytics report, revealing that it had been exploited by Russian APT28 state hackers, also known as STRONTIUM, Sednit, Sofacy, or Fancy Bear. These hackers targeted at least 14 government, military, energy, and transportation organizations between mid-April and December 2022.

APT28 is closely associated with Russia’s military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Exploiting the flaw, the threat actors employed malicious Outlook notes and tasks to steal NTLM hashes, coercing their targets’ devices into authenticating with attacker-controlled SMB shares. The stolen credentials were then used for lateral movement within the victims’ networks and to manipulate Outlook mailbox permissions, facilitating the exfiltration of specific account emails.

To assist Exchange admins in identifying potential breaches, Microsoft released a script. However, they advised administrators to remain vigilant for other signs of exploitation, as threat actors may have taken steps to cover their tracks.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This