Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File

Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File

December 19, 2023 at 04:05PM

Researchers disclosed two security vulnerabilities in Microsoft Outlook, which, when combined, allow attackers to execute arbitrary code on systems without any user interaction. The vulnerabilities can be triggered using a sound file. Akamai identified the flaws and Microsoft has issued patches, but additional vulnerabilities in the patches have also been discovered.

From the meeting notes, it is clear that researchers have disclosed details on two significant security vulnerabilities in Microsoft Outlook, known as CVE-2023-35384 and CVE-2023-36710, which have the potential to allow remote code execution (RCE) on affected systems without any user interaction. Furthermore, it is unusual that both vulnerabilities can be triggered using a sound file.

The first vulnerability, CVE-2023-35384, is the second patch bypass uncovered for a critical privilege escalation vulnerability in Outlook, first patched by Microsoft in March. This flaw allows attackers to execute arbitrary code by sending a specially crafted email with a custom notification sound, exploiting a security feature in Outlook to retrieve the sound file from an untrusted source.

The second vulnerability, CVE-2023-36710, is an RCE vulnerability in a feature of Windows Media Foundation, which is triggered when a specially crafted email downloads a malicious sound file from an attacker-controlled server and is autoplayed, leading to code execution on the victim’s machine.

The researchers have highlighted that by chaining these vulnerabilities together, a full zero-click RCE exploit can be created against Outlook clients, posing a significant risk.

Moreover, it is noted that this is the second time Akamai researchers have found a way around a patch issued by Microsoft for the original Outlook privilege-escalation flaw. The original patch was designed to verify the safety of URLs for custom notification sounds before handling them; however, Akamai found a bypass by adding a single character to a function in the Microsoft update, which prompted Microsoft to issue a separate patch.

Additionally, the research suggests that the patch for the original vulnerability may have introduced vulnerabilities itself, as it utilized a complex function called ‘MapUrlToZone’, which increased the attack surface. As a result, the researchers suggested removing the abused feature instead of using the patches.

In conclusion, these vulnerabilities and bypasses pose a significant threat to Outlook clients, and further attention is required to address the complex issues with the affected software.

Full Article