Microsoft fixes serious Outlook security flaw, so patch now

Outlook App
(Image credit: Shutterstock)

Microsoft has patched a flaw in its Outlook email service which allowed threat actors to bypass a previously issued patch for a privilege escalation flaw. A patch for a patch, so to speak.

Cybersecurity researcher Ben Barnea from Akamai recently discovered a zero-click bypass, which is now tracked as CVE-2023-29324. The flaw is present in all versions of Outlook, thus everyone’s vulnerable, he concluded.

"All Windows versions are affected by the vulnerability. As a result, all Outlook client versions on Windows are exploitable," Barnea said.

Everyone at risk

Given that the bypass allows threat actors to exploit a known privilege escalation vulnerability, IT teams should apply the patch as soon as possible. 

The privilege escalation flaw that was patched earlier this year is tracked as CVE-2023-23397, it was said. Threat actors that abuse this flaw can engage in NTLM-relay attacks and grab NTLM hashes without needing the victim’s input. That can be done by sending a malicious message with extended MAPI properties, that contain UNC paths to custom notification sounds, the researchers explained at the time. That makes Outlook connect to SMB shares under the control of the attackers. 

To fix the issue, Microsoft included a MapUrlToZone call, which prevents UNC patsh from linking to internet URLs, and if they did, the sounds get replaced with default reminders. However, Barnea found that the URL in reminder messages can be altered, tricking the MapUrlToZone checks and having the feature accept remote paths and local paths. Consequently, Outlook ends up connecting to a server under the attackers’ control:

"This issue seems to be a result of the complex handling of paths in Windows," Barnea said.

The latest fix doesn’t work as a standalone, Microsoft warned, saying users must apply the fix for both vulnerabilities in order to be protected. 

The company also said that known Russian state-sponsored attackers were leveraging these flaws in campaigns against government and military targets. 

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
US government warns users to patch this critical Microsoft Outlook bug
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
Representational image of a cybercriminal
Microsoft just patched a host of worrying security issues, so update now
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
A computer being guarded by cybersecurity.
Worrying Windows security issue patched by 7-Zip, so patch now
Latest in Security
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
Latest in News
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations