Microsoft’s Urgent Fix: Bypassing Recent Patches for Critical Outlook Zero-Day Exploited in the Wild
Microsoft Addresses Critical Outlook Zero-Day Bypass Vulnerability
Microsoft swiftly responded to a security vulnerability this week, addressing a flaw that allowed remote attackers to bypass recent patches targeting a critical zero-day security issue in Outlook. This zero-click bypass, known as CVE-2023-29324, impacts all supported versions of Windows and was brought to light by Akamai security researcher Ben Barnea.
Barnea explained, “All Windows versions are affected by the vulnerability. As a result, all Outlook client versions on Windows are exploitable.”
The previously patched Outlook zero-day bug, identified as CVE-2023-23397, is a privilege escalation flaw in the Outlook client for Windows. This flaw enables attackers to illicitly obtain NTLM hashes without user interaction in NTLM-relay attacks. Exploiting the bug involves sending messages with extended MAPI properties containing UNC paths to customized notification sounds, leading the Outlook client to connect to SMB shares under the attackers’ control.
Microsoft tackled the issue by implementing a MapUrlToZone call to ensure that UNC paths do not link to internet URLs. Additionally, they replaced the sounds with default reminders if such links were detected.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Microsoft Warns of Critical Outlook Zero-Day Bypass Vulnerability Exploited by APT28 Hackers
During the analysis of the CVE-2023-23397 mitigation, Barnea discovered a way to change the URL in reminder messages, tricking the MapUrlToZone checks into accepting remote paths as local paths. This bypasses Microsoft’s patch, resulting in the Windows Outlook client connecting to the attacker’s server.
Barnea shed light on the matter, stating, “This issue seems to be a result of the complex handling of paths in Windows.”
In response to Barnea’s findings, Microsoft issued a warning, emphasizing the importance of installing updates for both CVE-2023-23397 and CVE-2023-29324 to ensure comprehensive protection.
Remember that 0-click Outlook vulnerability with a custom sound leading to NTLM theft?
Akamai researchers found a way to bypass the patch to it.
In our write-up, see how adding a slash allowed for a bypass.https://t.co/eO121SaZur pic.twitter.com/YrrBikMZqj
— Akamai Security Intelligence Group (@akamai_research) May 10, 2023
While Internet Explorer has been retired, the vulnerable MSHTML platform is still utilized by certain applications through the WebBrowser control, as well as by the Internet Explorer mode in Microsoft Edge. Consequently, Microsoft urges customers to install the latest security updates and the IE Cumulative updates, specifically addressing the CVE-2023-29324 vulnerability, to remain fully protected.
The severity of this vulnerability became evident as Microsoft unveiled details from a private threat analytics report, revealing that it had been exploited by Russian APT28 state hackers, also known as STRONTIUM, Sednit, Sofacy, or Fancy Bear. These hackers targeted at least 14 government, military, energy, and transportation organizations between mid-April and December 2022.
Trending: Malware Analysis Tool: retoolkit
APT28 is closely associated with Russia’s military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Exploiting the flaw, the threat actors employed malicious Outlook notes and tasks to steal NTLM hashes, coercing their targets’ devices into authenticating with attacker-controlled SMB shares. The stolen credentials were then used for lateral movement within the victims’ networks and to manipulate Outlook mailbox permissions, facilitating the exfiltration of specific account emails.
To assist Exchange admins in identifying potential breaches, Microsoft released a script. However, they advised administrators to remain vigilant for other signs of exploitation, as threat actors may have taken steps to cover their tracks.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com