Outlook Plays Attacker Tunes: Vulnerability Chain Leading to Zero-Click RCE

Outlook Plays Attacker Tunes: Vulnerability Chain Leading to Zero-Click RCE

December 19, 2023 at 03:39PM

Akamai security researchers have disclosed multiple bypasses for Microsoft’s patches for an Outlook zero-click remote code execution vulnerability. The original issue, CVE-2023-23397, was exploited by a Russian state-sponsored threat actor, prompting Microsoft to release a patch in March 2023. Akamai identified other bypasses, which Microsoft has subsequently addressed in later patches.

Key Takeaways from the Meeting Notes:

1. Security researchers at Akamai discovered multiple bypasses for patches Microsoft released for an Outlook zero-click remote code execution vulnerability (CVE-2023-23397).
2. The original vulnerability allowed unauthenticated attackers to exploit the issue by sending an email reminder containing a sound notification specified as a path, coercing the Outlook client into connecting to the attacker’s server.
3. Microsoft resolved the original issue (CVE-2023-23397) in March 2023, but Akamai subsequently discovered a new bypass (CVE-2023-29324) which Microsoft fixed in May.
4. Akamai identified another bypass (CVE-2023-35384) that requires user interaction and was addressed by Microsoft with the August 2023 patches.
5. In October, Microsoft patched a vulnerability (CVE-2023-36710) related to the parsing of sound files on Windows, which could lead to remote code execution without user interaction.
6. Akamai warns that the attack surface in Outlook still exists, and new vulnerabilities can be found and exploited, despite Microsoft’s mitigations.

Please let me know if you need more information or specific details from the meeting notes.

Full Article