Microsoft fixed a security vulnerability this week that could be used by remote attackers to bypass recent patches for a critical Outlook zero-day security flaw abused in the wild.
This zero-click bypass (CVE-2023-29324) impacts all supported versions of Windows and was reported by Akamai security researcher Ben Barnea.
“All Windows versions are affected by the vulnerability. As a result, all Outlook client versions on Windows are exploitable,” Barnea explained.
The Outlook zero-day bug patched in March (CVE-2023-23397) is a privilege escalation flaw in the Outlook client for Windows that enables attackers to steal NTLM hashes without user interaction in NTLM-relay attacks.
Threat actors can exploit it by sending messages with extended MAPI properties containing UNC paths to custom notification sounds, causing the Outlook client to connect to SMB shares under their control.
Microsoft addressed the issue by including a MapUrlToZone call to ensure the UNC paths don’t link to internet URLs and replacing the sounds with default reminders if they did.
Bypass for Outlook zero-click privilege escalation
While analyzing the CVE-2023-23397 mitigation, Barnea discovered that the URL in reminder messages could be changed to trick the MapUrlToZone checks into accepting remote paths as local paths.
This circumvents Microsoft’s patch and causes the Windows Outlook client to connect to the attacker’s server.
“This issue seems to be a result of the complex handling of paths in Windows,” explains Barnea.
In light of Barnea’s findings, Microsoft warns that “Customers must install the updates for CVE-2023-23397 and CVE-2023-29324 to be fully protected.”
While Internet Explorer has been retired, the vulnerable MSHTML platform is still being used by some apps through WebBrowser control, as well as by Internet Explorer mode in Microsoft Edge.
Because of this, Redmond urges customers to install both this month’s security updates and the IE Cumulative updates released to address the CVE-2023-29324 vulnerability to stay fully protected.
Exploited by Russian state hackers for data theft
As Microsoft revealed in a private threat analytics report, it was exploited by Russian APT28 state hackers (aka STRONTIUM, Sednit, Sofacy, or Fancy Bear) in attacks against at least 14 government, military, energy, and transportation organizations between mid-April and December 2022.
APT28 has been linked to Russia’s military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
The threat actors used malicious Outlook notes and tasks to steal NTLM hashes by forcing their targets’ devices to authenticate to attacker-controlled SMB shares.
These stolen credentials were used for lateral movement within the victims’ networks and to change Outlook mailbox permissions to exfiltrate emails for specific accounts.
Microsoft released a script to help Exchange admins check if their servers were breached but also advised them to look for other signs of exploitation if the threat actors cleaned up their traces.