Microsoft has patched a flaw in its Outlook email service which allowed threat actors to bypass a previously issued patch for a privilege escalation flaw. A patch for a patch, so to speak.
Cybersecurity researcher Ben Barnea from Akamai recently discovered a zero-click bypass, which is now tracked as CVE-2023-29324. The flaw is present in all versions of Outlook, thus everyone’s vulnerable, he concluded.
"All Windows versions are affected by the vulnerability. As a result, all Outlook client versions on Windows are exploitable," Barnea said.
Everyone at risk
Given that the bypass allows threat actors to exploit a known privilege escalation vulnerability, IT teams should apply the patch as soon as possible.
The privilege escalation flaw that was patched earlier this year is tracked as CVE-2023-23397, it was said. Threat actors that abuse this flaw can engage in NTLM-relay attacks and grab NTLM hashes without needing the victim’s input. That can be done by sending a malicious message with extended MAPI properties, that contain UNC paths to custom notification sounds, the researchers explained at the time. That makes Outlook connect to SMB shares under the control of the attackers.
To fix the issue, Microsoft included a MapUrlToZone call, which prevents UNC patsh from linking to internet URLs, and if they did, the sounds get replaced with default reminders. However, Barnea found that the URL in reminder messages can be altered, tricking the MapUrlToZone checks and having the feature accept remote paths and local paths. Consequently, Outlook ends up connecting to a server under the attackers’ control:
"This issue seems to be a result of the complex handling of paths in Windows," Barnea said.
The latest fix doesn’t work as a standalone, Microsoft warned, saying users must apply the fix for both vulnerabilities in order to be protected.
The company also said that known Russian state-sponsored attackers were leveraging these flaws in campaigns against government and military targets.
- These are the best firewalls