Microsoft: New critical Outlook RCE bug exploited as zero-day

Microsoft: New critical Outlook RCE bug exploited as zero-day

February 14, 2024 at 03:12PM

Microsoft updated a security advisory warning about a critical Outlook bug, tracked as CVE-2024-21413, leading to remote code execution if exploited. The vulnerability allows bypassing Protected View, affecting multiple Office products including Microsoft Outlook 2016 and Office 2019. Check Point researchers discovered the vulnerability called Moniker Link, recommending applying the official patch immediately.

Summary of Meeting Notes:

– A critical Outlook bug, tracked as CVE-2024-21413, was exploited in zero-day attacks but has since been fixed during this month’s Patch Tuesday.
– This vulnerability allows remote code execution (RCE) when opening emails with malicious links using a vulnerable Microsoft Outlook version, by bypassing the Protected View and allowing the opening of malicious Office files in editing mode.
– The Preview Pane is also an attack vector for this security flaw, even when previewing maliciously crafted Office documents in Windows Explorer.
– Unauthenticated attackers can exploit CVE-2024-21413 remotely in low-complexity attacks that don’t require user interaction.
– Successful exploitation of this vulnerability could lead to gaining high privileges, including read, write, and delete functionality, as well as leaking of local NTLM credential information.
– CVE-2024-21413 affects multiple Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019 under extended support.
– The vulnerability dubbed Moniker Link allows attackers to bypass built-in Outlook protections for malicious links embedded in emails using the file:// protocol and adding an exclamation mark to URLs pointing to attacker-controlled servers. This type of hyperlink bypasses Outlook security restrictions without throwing any warnings or errors.
– The impact of attacks exploiting CVE-2024-21413 includes theft of NTLM credential information and arbitrary code execution via maliciously crafted Office documents.
– The vulnerability may also impact other software that uses the MkParseDisplayName unsafe API.
– Check Point confirmed the Moniker Link bug/attack vector on the latest Windows 10/11 + Microsoft 365 environments and recommended all Outlook users apply the official patch as soon as possible.
– A Microsoft spokesperson was not immediately available for additional details regarding CVE-2024-21413 exploitation in the wild.

Full Article