Here’s a great reason why you should always apply patches when they come out. There are two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction:
- Akamai researcher Ben Barnea found two vulnerabilities in Microsoft Windows, which were assigned CVE-2023-35384 and CVE-2023-36710.
- An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients.
- The first vulnerability lies in the parsing of a path by the MapUrlToZone function. Exploiting this vulnerability requires sending a crafted email to an Outlook client, which in turn will download a special sound file from an attacker-controlled server.
- The second vulnerability lies in the Audio Compression Manager (ACM). This vulnerability is exploited when the downloaded sound file is autoplayed, and it can lead to code execution on the victim machine. This vulnerability is described in detail in part 2 of this blog post.
- The vulnerabilities were responsibly disclosed to Microsoft and addressed on the August 2023 and October 2023 Patch Tuesdays.
- Windows machines with the October 2023 software update installed are protected from these vulnerabilities. Additionally, Outlook clients that use Exchange servers patched with March 2023 software update are protected against the abused feature.
Ariel Ropek, Principal Threat Researcher, Panther Labs had this comment:
Zero-click vulnerabilities are especially dangerous because they do not require any interaction from the user to be successful, bypassing the need to trick an unsuspecting human as is normally the case with phishing attacks. The complexity of chaining multiple vulnerabilities plus the high probability of success means that zero-click vulnerabilities have historically been exploited by nation-state actors. In September 2023, a similar zero-click vulnerability in iOS dubbed BLASTPASS was reportedly used to install Pegasus spyware targeting activists, government officials, and journalists.
Zero clicks are the worst type of exploit. Developers really need to test their code to see if there’s anything that could be used in attacks like this one.
Related
This entry was posted on December 19, 2023 at 3:12 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Zero-Click Outlook RCE Exploits Are Being Exploited If You Haven’t Patched All The Things
Here’s a great reason why you should always apply patches when they come out. There are two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction:
Ariel Ropek, Principal Threat Researcher, Panther Labs had this comment:
Zero-click vulnerabilities are especially dangerous because they do not require any interaction from the user to be successful, bypassing the need to trick an unsuspecting human as is normally the case with phishing attacks. The complexity of chaining multiple vulnerabilities plus the high probability of success means that zero-click vulnerabilities have historically been exploited by nation-state actors. In September 2023, a similar zero-click vulnerability in iOS dubbed BLASTPASS was reportedly used to install Pegasus spyware targeting activists, government officials, and journalists.
Zero clicks are the worst type of exploit. Developers really need to test their code to see if there’s anything that could be used in attacks like this one.
Share this:
Like this:
Related
This entry was posted on December 19, 2023 at 3:12 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.