Why Microsoft just patched a patch that squashed an under-attack Outlook bug

Trending 4 months ago

Microsoft successful March fixed an absorbing information spread successful Outlook that was exploited by miscreants to leak victims' Windows credentials. This week nan IT elephantine fixed that hole arsenic portion of its monthly Patch Tuesday update.

To punctual you of nan original bug, tracked arsenic CVE-2023-23397: it was imaginable to nonstop personification an email that included a reminder pinch a civilization notification sound. That civilization sound could beryllium specified arsenic a URL way wrong nan email.

If a miscreant cautiously crafted a message pinch that sound way group to a distant SMB server, erstwhile Outlook fetched and processed nan message, and automatically followed nan way to nan record server, it would manus complete nan user's Net-NTLMv2 hash successful an effort to log in. That would efficaciously leak nan hash to an extracurricular party, who could perchance usage nan credential to entree different resources arsenic that user, allowing nan intruder to research soul web systems, bargain documents, impersonate their victim, and truthful on.

The spot from a mates of months agone made Outlook usage nan Windows usability MapUrlToZone to inspect wherever a notification sound way was really pointing, and if it was retired to nan internet, it would beryllium ignored and nan default sound would play. That should person stopped nan customer connecting to a distant server and leaking hashes.

It turned retired this MapUrlToZone-based protection could beryllium bypassed, prompting Microsoft to person to statement up its March hole successful May. The original bug was being exploited successful nan wild, and truthful erstwhile nan spot for it landed, it sewage everyone's attention. And that attraction helped uncover that nan hole was incomplete.

And if it was near incomplete, whoever was abusing nan original bug could usage nan different vulnerability to get astir nan original patch. So to beryllium clear, it's not that nan hole for CVE-2023-23397 didn't activity – it did – it conscionable wasn't capable to wholly unopen nan civilization sound record hole.

"This vulnerability is yet different illustration of spot scrutinizing starring to caller vulnerabilities and bypasses," said Akamai's Ben Barnea, who spotted and reported nan MapUrlToZone bypass.

"Specifically for this vulnerability, nan summation of 1 characteristic allows for a captious spot bypass."

Crucially, while nan first bug was successful Outlook, this 2nd rumor pinch MapUrlToZone lies successful Microsoft's implementation of that usability successful nan Windows API. That intends nan 2nd spot is not for Outlook but for nan underlying MSHTML level successful Windows, and each versions of nan OS are affected by that bug, Barnea wrote. The problem is that a maliciously constructed way tin beryllium passed to MapUrlToZone truthful that nan usability determines nan way is not to nan outer net erstwhile it really is erstwhile nan exertion comes to unfastened nan path.

According to Barnea, emails tin incorporate a reminder that includes a civilization notification sound specified arsenic a way utilizing an extended MAPI spot utilizing PidLidReminderFileParameter.

"An attacker tin specify a UNC way that would origin nan customer to retrieve nan sound record from immoderate SMB server," he explained. "As portion of nan relationship to nan distant SMB server, nan Net-NTLMv2 hash is sent successful a speech message."

That flaw was bad capable to gain a CVSS severity standing of 9.8 retired of 10 and had been exploited by a Russia-linked unit for astir a twelvemonth by nan clip nan hole was issued successful March. The cyber-gang utilized it successful attacks against organizations successful European governments arsenic good arsenic transportation, energy, and subject spaces.

  • Apple pushes first-ever 'rapid' spot – and quickly screws up
  • It's official: BlackLotus malware tin bypass Secure Boot connected Windows machines
  • Mirai botnet loves exploiting your unpatched TP-Link routers, CISA warns

To find a bypass for Microsoft's original patch, Barnea wanted to trade a way that MapUrlToZone would explanation arsenic local, intranet, aliases a trusted area – meaning Outlook could safely travel it – but erstwhile passed to nan CreateFile usability to open, would make nan OS spell link to a distant server.

Eventually he recovered that miscreants could alteration nan URL successful reminder messages, which duped MapUrlToZone checks into seeing distant paths arsenic section ones. And it could beryllium done pinch a azygous keystroke, adding a 2nd '\' to nan cosmopolitan naming normal (UNC) path.

"An unauthenticated attacker connected nan net could usage nan vulnerability to coerce an Outlook customer to link to an attacker-controlled server," Barnea wrote. "This results successful NTLM credentials theft. It is simply a zero-click vulnerability, meaning it tin beryllium triggered pinch nary personification interaction."

He added that nan problem appears to beryllium nan "result of nan analyzable handling of paths successful Windows. … We judge this benignant of disorder tin perchance origin vulnerabilities successful different programs that usage MapUrlToZone connected a user-controlled way and past usage a record cognition (such arsenic CreateFile aliases a akin API) connected nan aforesaid path."

The flaw, CVE-2023-29324, has a CVSS severity people of 6.5. Microsoft is recommending organizations fix some that vulnerability – a spot was issued arsenic portion of Patch Tuesday this week – arsenic good arsenic nan earlier CVE-2023-23397.

Barnea wrote that he hoped Microsoft will region nan civilization reminder sound feature, saying it poses much information risks than immoderate imaginable worth to users.

"It is simply a zero-click media parsing onslaught aboveground that could perchance incorporate captious representation corruption vulnerabilities," he wrote. "Considering really ubiquitous Windows is, eliminating an onslaught aboveground arsenic ripe arsenic this is could person immoderate very affirmative effects." ®