(416) 825-2120
info@veiliant.com
Free IT Assessment
  • About
  • Services
    • Fully Managed IT
    • Cloud Services
    • Software Development
    • Business Continuity
    • Cyber Security
    • Professional IT Consulting
  • Our Team
  • Blog
  • Contact
Remote Support

Microsoft Patches Bypass for Recently Fixed Outlook Zero-click Bug

Posted on 11 May at 7:24 am

Microsoft fixed a security vulnerability this week that could be used by remote attackers to bypass recent patches for a critical Outlook zero-day security flaw abused in the wild.

This zero-click bypass (CVE-2023-29324) impacts all supported versions of Windows and was reported by Akamai security researcher Ben Barnea.

“All Windows versions are affected by the vulnerability. As a result, all Outlook client versions on Windows are exploitable,” Barnea explained.

The Outlook zero-day bug patched in March (CVE-2023-23397) is a privilege escalation flaw in the Outlook client for Windows that enables attackers to steal NTLM hashes without user interaction in NTLM-relay attacks.

Threat actors can exploit it by sending messages with extended MAPI properties containing UNC paths to custom notification sounds, causing the Outlook client to connect to SMB shares under their control.

Microsoft addressed the issue by including a MapUrlToZone call to ensure the UNC paths don’t link to internet URLs and replacing the sounds with default reminders if they did.

Bypass for Outlook zero-click privilege escalation

While analyzing the CVE-2023-23397 mitigation, Barnea discovered that the URL in reminder messages could be changed to trick the MapUrlToZone checks into accepting remote paths as local paths.

This circumvents Microsoft’s patch and causes the Windows Outlook client to connect to the attacker’s server.

“This issue seems to be a result of the complex handling of paths in Windows,” explains Barnea.

In light of Barnea’s findings, Microsoft warns that “Customers must install the updates for CVE-2023-23397 and CVE-2023-29324 to be fully protected.”

While Internet Explorer has been retired, the vulnerable MSHTML platform is still being used by some apps through WebBrowser control, as well as by Internet Explorer mode in Microsoft Edge.

Because of this, Redmond urges customers to install both this month’s security updates and the IE Cumulative updates released to address the CVE-2023-29324 vulnerability to stay fully protected.

Akamai bypass tweet

Exploited by Russian state hackers for data theft

As Microsoft revealed in a private threat analytics report, it was exploited by Russian APT28 state hackers (aka STRONTIUM, Sednit, Sofacy, or Fancy Bear) in attacks against at least 14 government, military, energy, and transportation organizations between mid-April and December 2022.

APT28 has been linked to Russia’s military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

The threat actors used malicious Outlook notes and tasks to steal NTLM hashes by forcing their targets’ devices to authenticate to attacker-controlled SMB shares.

These stolen credentials were used for lateral movement within the victims’ networks and to change Outlook mailbox permissions to exfiltrate emails for specific accounts.

Microsoft released a script to help Exchange admins check if their servers were breached but also advised them to look for other signs of exploitation if the threat actors cleaned up their traces.

Previous Post
Fake In-browser Windows Updates Push Aurora Info-stealer Malware
Next Post
Western Digital Says Hackers Stole Customer Data in March Cyberattack

Recent Posts

  • Microsoft 365 Phishing Attacks Use Encrypted RPMSG Messages May 31, 2023
  • Canadian Nurses Association Hit by Cyber Attack May 31, 2023
  • QBot Malware Abuses Windows WordPad EXE to Infect Devices May 27, 2023
  • Hackers Target Vulnerable WordPress Elementor Plugin After PoC Released May 27, 2023
  • Mozilla Stops Firefox Fullscreen VPN Ads After User Outrage May 26, 2023

Categories

  • Cybersecurity (165)
  • Machine Learning (1)
  • News (98)
  • Robotic Process Automation (4)

Partners and Affiliates

Manufacturers matter. We partner with industry leaders that focus on business technology solutions. Let us help you find the right fit for your organization. Our partners offer great support, education, and benefits that we pass down to our clients.

 

About Us

Veiliant Inc. is a Managed Service Provider that offers many flexible services. We strive to meet the growing demand for computer support services needed for business success.

Veiliant has a proactive approach to help create innovative solutions devised  with your business goals in mind.

Our Services

  • Fully Managed IT
  • Cloud Services
  • Software Development
  • Business Continuity
  • Professional IT Consulting
  • Cyber Security

Related Links

  • FAQ
  • Privacy Policy

Contact Information

5155 Spectrum Way, Unit 1, Mississauga, ON, L4W 5A1
(416) 825-2120

Customer Support

  • Remote Support
  • Free IT Assessment

© 2023 Veiliant Inc. All rights reserved.