A critical vulnerability in Microsoft Outlook [2], identified as CVE-2024-38173 [2], has been discovered [3], allowing attackers to gain full access to a user’s system through a malicious email.
Description
This Form Injection Remote Code Execution (RCE) vulnerability [3], with a CVSS score of 6.7 [3], exploits Outlook’s email preview function [2], enabling the activation of email malware without user interaction. The flaw stems from a weakness in Outlook’s form-based architecture, which permits the creation and dissemination of malicious forms that can bypass detection. In the same patching cycle [1], additional CVEs were released introducing techniques to hijack and leak NTLM [1], with the potential for attackers to chain vulnerabilities and gain complete control of the system without prior authentication [1]. While Microsoft released a security patch to address this vulnerability, concerns remain about the effectiveness of the fix, indicating ongoing issues with form security [2]. To enhance security [2], enterprises are advised to enforce Kerberos authentication [2], block NTLM where possible [2], harden endpoints [2], and restrict protocols like SMB. Additionally, leveraging Automated Moving Target Defense (AMTD) can disrupt attackers’ attempts to exploit vulnerabilities. The existence of similar unpatched vulnerabilities raises the potential for further security risks, emphasizing the importance of proactive defense strategies. Users are urged to update Outlook and Office applications with the latest patches [3], implement robust email security measures [3], and educate users on the risks associated with interacting with emails from unknown sources [3].
Conclusion
The discovery of this critical vulnerability in Microsoft Outlook highlights the need for robust security measures to protect against potential attacks. By implementing recommended security practices and staying informed about the latest threats, organizations and users can mitigate risks and safeguard their systems from malicious exploitation.
References
[1] https://blog.morphisec.com/cve-2024-38173-form-injection
[2] https://www.csoonline.com/article/3486789/microsoft-outlook-security-hole-lets-attackers-in-without-opening-a-tainted-message.html
[3] https://www.infosecurity-magazine.com/news/research-uncovers-new-microsoft/
