February 14, 2024 at 05:02PM
Microsoft has identified a critical security vulnerability, CVE-2024-21413, in Outlook that allows remote unauthenticated attackers to exploit it, leading to remote code execution and the theft of NTLM credentials. The flaw bypasses Protected View and can be exploited through the Preview Pane, affecting multiple Office products. Check Point revealed a bypass mechanism, #MonikerLink, and urges prompt patching.
Key takeaways from the meeting notes:
1. Microsoft retracted the “active exploitation” update on the CVE-2024-21413 advisory.
2. A critical Outlook security vulnerability, tracked as CVE-2024-21413, enables remote code execution (RCE) when opening emails with malicious links using vulnerable Microsoft Outlook versions.
3. The vulnerability also allows attackers to bypass the Office Protected View and open malicious Office files in editing mode.
4. The Preview Pane in Outlook is an attack vector for this security flaw.
5. Unauthenticated attackers can exploit CVE-2024-21413 remotely without requiring user interaction.
6. The vulnerability affects multiple Office products, including Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise, as well as Microsoft Outlook 2016 and Microsoft Office 2019 in extended support.
7. The vulnerability, dubbed “Moniker Link,” allows attackers to bypass Outlook protections by adding an exclamation mark to URLs pointing to attacker-controlled servers.
8. The vulnerability may also impact other software that uses the MkParseDisplayName unsafe API.
9. Successful exploitation of CVE-2024-21413 can result in the theft of NTLM credential information and arbitrary code execution via maliciously crafted Office documents.
10. Microsoft has updated the CVE-2024-21413 security advisory to warn that the Outlook bug was being exploited in attacks as a zero-day before the recent Patch Tuesday, but has since reverted the change.
Please let me know if you need more information or if there’s anything else I can assist you with.