Recently disclosed technical details shed light on two security vulnerabilities in Microsoft Windows that have since been patched, but could still be combined by malicious actors to achieve remote code execution on the Outlook email service without any user interaction.
Ben Barnea, a security researcher at Akamai who unearthed these vulnerabilities, elaborated in a two-part report shared with The Hacker News, stating, “An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients.”
The security flaws, addressed by Microsoft in August and October 2023, respectively, are as follows:
CVE-2023-35384 (CVSS score: 5.4) – Windows HTML Platforms Security Feature Bypass Vulnerability CVE-2023-36710 (CVSS score: 7.8) – Windows Media Foundation Core Remote Code Execution Vulnerability CVE-2023-35384 has been identified by Akamai as a workaround for a critical security issue patched by Microsoft in March 2023. This flaw, known as CVE-2023-23397 (CVSS score: 9.8), pertains to a privilege escalation scenario that could lead to the theft of NTLM credentials and enable a relay attack by attackers.
Recently, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 disclosed that a Russian threat actor, identified as APT28 (also known as Forest Blizzard), has been actively exploiting the vulnerability to gain unauthorized access to victims’ accounts within Exchange servers.
It’s noteworthy that CVE-2023-35384 is the second patch bypass, following CVE-2023-29324, which was also discovered by Barnea and addressed by Microsoft as part of its May 2023 security updates.
“We found another bypass to the original Outlook vulnerability — a bypass that once again allowed us to coerce the client to connect to an attacker-controlled server and download a malicious sound file,” Barnea explained.
CVE-2023-35384, akin to CVE-2023-29324, stems from the mishandling of a path by the MapUrlToZone function, which could be exploited by sending a malicious file or URL via email to an Outlook client.
“A security feature bypass vulnerability exists when the MSHTML platform fails to validate the correct Security Zone of requests for specific URLs. This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended,” Microsoft stated in its advisory.
This vulnerability not only facilitates the leakage of NTLM credentials but can also be combined with the sound parsing flaw (CVE-2023-36710) to download a custom sound file. When autoplayed using Outlook’s reminder sound feature, this file could trigger zero-click code execution on the victim’s machine.
CVE-2023-36710 affects the Audio Compression Manager (ACM) component, a legacy Windows multimedia framework used for managing audio codecs. It results from an integer overflow vulnerability encountered when playing a WAV file.
“To mitigate the risks, organizations are advised to use microsegmentation to block outgoing SMB connections to remote public IP addresses. Additionally, it’s recommended to either disable NTLM or add users to the Protected Users security group, which prevents the use of NTLM as an authentication mechanism.”
