While examining a previous bypass mitigation, Akamai Technologies discovered two new Windows vulnerabilities that could allow an attacker to create a zero-click exploit against Microsoft Outlook clients.
In a two-part report published Monday, Akamai researcher Ben Barnea detailed the discovery of two new Windows vulnerabilities, tracked as CVE-2023-35384 and CVE-2023-36710, that were reported to and addressed by Microsoft.
By chaining the two flaws, he was able to construct a remote code execution exploit for Outlook that required no user interaction.
Barnea's research was inspired by his previous work on an Outlook mitigation bypass for CVE-2023-23397, a vulnerability that was disclosed and patched in March, but continues to be exploited by a Russian nation-state group.
The new vulnerability, tracked as CVE-2023-29324, was disclosed in May, but Akamai and Microsoft disagreed over the severity.
Microsoft fixed the mitigation bypass in May, but Akamai recommended an additional mitigation step to increase security that went unheeded.
During the investigation into audio files, Barnea discovered two new Windows vulnerabilities that could be chained to conduct a remote attack on Outlook.
CVE-2023-35384 is a security feature bypass vulnerability in the MapUrlToZone function that received a CVSS score of 6.5.
Barnea said exploitation requires an attacker to send an email to an Outlook client, which will then download a special file from the attacker's server.
MapUrlToZone was the security measure Microsoft implemented to fix CVE-2023-23397, which Barnea proved he could bypass with CVE-2023-29324.
The second vulnerability in the new exploit chain, CVE-2023-36710, is a Windows RCE flaw with a 7.8 CVSS score that Akamai discovered in the Audio Compression Manager.
The researchers' goal was to determine whether Outlook could be manipulated into downloading a sound file from a remote location despite Microsoft's previous fixes.
Barnea bypassed mitigations in three attempts and was able to trick Outlook into incorrectly recognizing the functions as coming from a local path.
It was during the third attempt when Barnea discovered the second vulnerability in the chain that allowed for RCE, tracked as CVE-2023-36710.
While there are no reports of exploitation, Akamai warned that the threat vector is attractive to attackers.
Microsoft Exchange and Outlook have come under attack multiple times in recent years, and the software giant has been criticized for its vulnerability patching practices.
Security researchers say inadequate patches have failed to fully address root causes of vulnerabilities, leading to mitigation bypasses and new variant flaws.
TechTarget Editorial contacted Microsoft for comment on the chained exploit.
Barnea told TechTarget Editorial that while the vulnerabilities have been patched, the custom sound notification feature poses risk to Outlook users.
Akamai advised following Microsoft's detection and mitigation guidance for the original Outlook vulnerability, CVE-2023-23397.
This Cyber News was published on www.techtarget.com. Publication date: Mon, 18 Dec 2023 15:13:18 +0000