Microsoft has fixed a vulnerability in its Outlook email service that allowed threat actors to bypass a previously released patch for the privilege escalation flaw. Patch for patch, so to speak.
Cybersecurity researcher Ben Parnia of Akamai recently discovered a no-click bypass, which is now tracked as CVE-2023-29324. It was concluded that the flaw is present in all versions of Outlook and therefore everyone is vulnerable.
“All versions of Windows are affected by the vulnerability. As a result, all versions of the Outlook client on Windows are vulnerable to the exploit,” Parnia said.
Everyone is in danger
Because the bypass allows threat actors to exploit a known privilege escalation vulnerability, IT teams should apply the patch as soon as possible.
The privilege escalation bug that was patched earlier this year has been tracked as CVE-2023-23397, it said. Threat actors who abuse this flaw can engage in NTLM-relay attacks and seize NTLM hashes without requiring the victim’s input. This can be done by sending a file (Opens in a new tab) A message with extended MAPI properties, which contains UNC paths for custom notification sounds, the researchers explained at the time. This makes Outlook connect to SMB shares under the attackers’ control.
To fix the problem, Microsoft has included a MapUrlToZone call, which prevents the UNC patch from linking to Internet URLs, and if it does, the beeps are replaced with the default reminders. However, Barnea found that the URL could be changed in reminders, fooling MapUrlToZone checks and making the feature accept both remote paths and local paths. Thus, Outlook ends up connecting to a server under the attackers’ control:
“It seems that this problem is caused by the complex handling of paths in Windows,” Parnia said.
Microsoft warned that the latest fix does not work as a standalone fix, saying that users should apply the fix for both vulnerabilities in order to be protected.
The company also said that known Russian state-sponsored attackers are exploiting these flaws in campaigns against government and military targets.
Via: Sleeping Computer (Opens in a new tab)