Researchers this week disclosed details on two security vulnerabilities in Microsoft Outlook that, when chained together, give attackers a way to execute arbitrary code on affected systems without any user interaction.
Unusually, both of them can be triggered using a sound file.
One of the flaws, tracked as CVE-2023-35384, is actually the second patch bypass that researchers at Akamai have uncovered for a critical privilege escalation vulnerability in Outlook that Microsoft first patched in March.
The second flaw that Akamai disclosed this week is a remote code execution vulnerability in a feature of Windows Media Foundation, and it has to do with how Windows parses sound files.
Arbitrary Code Execution Microsoft issued a patch for CVE-2023-35384 in August, after Akamai researchers contacted the company.
The flaw stems from a security feature in Outlook not properly validating if a requested URL is in a local machine zone, intranet zone, or another trusted zone.
Attackers can trigger the vulnerability by sending an affected Outlook client an email reminder with a custom notification sound, according to Akamai.
To trigger the second vulnerability, an attacker would use the first vulnerability to send a specially crafted email that downloads a malicious sound file from an attacker-controlled server.
According to Ben Barnea, security researcher at Akamai, an attacker can exploit both vulnerabilities individually or in a chained fashion.
Patch, Then Patch Again As noted, this is the second time that Akamai researchers have found a way around a March patch that Microsoft issued for the Outlook privilege-escalation flaw tracked as CVE-2023-23397.
That original bug gives attackers a way to use a sound file to steal a user's password hash and authenticate to services to which the user has access.
As recently as Dec. 4, Microsoft warned of Russia's Fancy Bear group actively exploiting the flaw to gain unauthorized access to email accounts in Exchange server.
Microsoft's original patch sought to ensure that before Outlook handles emails containing custom notification reminders, it first verifies the safety of the URL for the sound file.
The patch was designed to ensure that if the URL for the custom notification sound was brought in from an untrusted/unverified domain, Outlook's default notification sound is used instead. But then, Akamai researchers probing the patch discovered they could bypass it by adding a single character to a function in the Microsoft update.
The discovery prompted Microsoft to assign the issue a separate CVE and issue a patch for it in May. The new bypass that Akamai is detailing this week also arises from an issue in the original patch - and it might not be the last problem found in the patch, either.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 19 Dec 2023 21:05:05 +0000