Akamai Technologies recently disclosed two security vulnerabilities in Microsoft Windows Outlook clients that were promptly patched by Microsoft in August and October 2023. These vulnerabilities, known as CVE-2023-35384 and CVE-2023-23397 [3], could potentially be exploited by cybercriminals to achieve remote code execution on the Outlook email service without any user interaction [4].
Description
CVE-2023-35384 involves a security feature bypass in the MapUrlToZone function [3], while CVE-2023-23397 is related to privilege escalation and could lead to the theft of NTLM credentials [4]. A Russian cyber threat group [4], APT29 [4], has been actively exploiting one of the vulnerabilities to gain unauthorized access to victims’ accounts within Exchange servers [4]. By exploiting these flaws in tandem, an attacker could create a zero-click exploit for Outlook, allowing them to execute malicious code remotely.
Additionally, another vulnerability, CVE-2023-36710 [2] [3] [4] [5] [6], was patched by Microsoft in October 2023 [4] [5] [6]. This vulnerability affects the Audio Compression Manager (ACM) component and is caused by an integer overflow vulnerability when playing a WAV file [4]. It can be combined with the previously mentioned vulnerabilities to download a custom sound file that, when autoplayed using Outlook’s reminder sound feature [4], can lead to a zero-click code execution on the victim’s machine [4].
To mitigate the risks, users are advised to ensure their systems are up to date and follow Microsoft’s guidance for detecting and mitigating the original Outlook vulnerability, CVE-2023-23397 [2] [3] [4] [5] [6]. Akamai researcher Ben Barnea has discovered these vulnerabilities and provided detailed descriptions of the exploits and prevention methods in two blog posts. The vulnerabilities exploit the Windows Audio Compression Manager component [1], which processes sound files such as WAV files [1]. Machines with the October 2023 software update and Outlook clients using Exchange servers patched with the March 2023 software update are protected [1]. The March Outlook vulnerability was previously exploited by a Russian state-sponsored malware group called Forest Blizzard [1]. Barnea found a “zero-click” exploit that allows control over a Windows machine when a user receives an email reminder with an attached custom notification sound [1]. Microsoft has provided mitigation guidance [1], but Barnea suggests additional measures such as micro network segmentation and disabling NTLM or adding users to the Protected Users group in Active Directory [1].
Conclusion
These security vulnerabilities in Microsoft Windows Outlook clients have significant implications for users and organizations. The exploitation of these vulnerabilities by cybercriminals and state-sponsored groups highlights the importance of keeping systems up to date and following mitigation guidance from Microsoft. The discovery of these vulnerabilities by Akamai researcher Ben Barnea underscores the ongoing need for proactive security measures and the continuous monitoring of potential threats. Moving forward, it is crucial for users to remain vigilant and implement additional measures, such as micro network segmentation and disabling NTLM [1] [3], to further protect against potential attacks.
References
[1] https://siliconangle.com/2023/12/18/akamai-finds-new-outlook-exploits-leverage-sound-file-attachments/
[2] https://owasp.or.id/2023/12/18/experts-reveal-new-details-on-zero-click-outlook-rce-exploits/
[3] https://www.techtarget.com/searchSecurity/news/366563449/Akamai-discloses-zero-click-exploit-for-Microsoft-Outlook
[4] https://vulnera.com/newswire/emerging-details-on-zero-click-outlook-remote-code-execution-exploits/
[5] https://flyytech.com/2023/12/18/experts-reveal-new-details-on-zero-click-outlook-rce-exploits/
[6] https://thehackernews.com/2023/12/beware-experts-reveal-new-details-on.html
