Unraveling Microsoft Outlook’s Zero-Click Vulnerabilities Triggered by Sound Files

December 23rd, 2023 - Written By CyberLabs

In a recent revelation, security researchers at Akamai disclosed two critical security vulnerabilities in Microsoft Outlook that, when combined, provide attackers with the ability to execute arbitrary code on targeted systems without requiring any user interaction. Surprisingly, both vulnerabilities can be exploited using a simple sound file, highlighting the intricate nature of the security flaws.

CVE-2023-35384: Outlook Privilege Escalation Bypass:

The first flaw, identified as CVE-2023-35384, is the second patch bypass discovered by Akamai researchers for a critical privilege escalation vulnerability in Outlook, initially patched by Microsoft in March. This vulnerability arises from a security feature in Outlook that fails to properly validate requested URLs in local machine zones, intranet zones, or other trusted zones. By sending an email reminder with a custom notification sound, attackers can trigger the flaw and specify a UNC path, causing the client to retrieve the sound file from an unauthorized SMB server on the Internet.

CVE-2023-36710: Windows Media Foundation Remote Code Execution:

The second flaw, CVE-2023-36710, discloses a remote code execution vulnerability within a Windows Media Foundation feature. This flaw is associated with how Windows parses sound files. Attackers can exploit this vulnerability by utilizing the first flaw to send a specially crafted email, prompting the victim to download a malicious sound file from an attacker-controlled server. When the downloaded sound file is auto played, it leads to code execution on the victim’s machine.

Chained Exploitation for Zero-Click RCE:

Akamai emphasizes that by chaining both vulnerabilities together, attackers can achieve a full, zero-click remote code execution exploit against Outlook clients. This underscores the significance of addressing these vulnerabilities promptly.

Challenge with Patching:

Notably, this is the second instance in which Akamai researchers have identified a way to bypass a patch issued by Microsoft in March for the Outlook privilege escalation flaw (CVE-2023-23397). The original patch sought to mitigate the abuse of the custom reminder sound feature by verifying the safety of the sound file’s URL. However, Akamai researchers found a bypass by adding a single character to a function in the Microsoft update. Microsoft addressed this in May by issuing a separate patch (CVE-2023-29324). The recent bypass detailed by Akamai also stems from an issue in the original patch, raising concerns about the robustness of the patch itself.

The disclosed vulnerabilities pose a serious threat to Microsoft Outlook users, as they enable attackers to execute code remotely without user interaction. The intricate nature of these security flaws highlights the challenges in patching and emphasizes the need for comprehensive security measures. Addressing these vulnerabilities promptly is crucial to safeguarding user data and preventing potential exploitation by malicious actors.

Reference:

• https://www.darkreading.com/vulnerabilities-threats/researchers-release-details-on-two-patched-outlook-zero-click-flaws