Microsoft fixes bypass for critical Outlook zero-click flaw patch

Microsoft this week patched a new vulnerability that could be used to bypass defenses the company put in place in March for a critical vulnerability in Outlook that Russian cyberspies exploited in the wild. This vulnerability allowed attackers to steal NTLM hashes simply by sending specially crafted emails to Outlook users. Exploitation requires no user interaction.

The new vulnerability, patched Tuesday and tracked as CVE-2023-29324, is in the Windows MSHTML platform and can be used to cheat a security check used as part of the March Outlook vulnerability patch to think that a path to the Internet is local. one, thereby evading the controls of the trusted zone. Microsoft rated the new vulnerability a severity score of 6.5 out of 10 (average), but the Akamai security team that found the vulnerability believes it should have been rated higher.

“Our research indicates that the new vulnerability re-allows the exploitation of a critical vulnerability that was seen in the wild and used by APT operators,” Akamai researchers told CSO via email. “We still believe our finding is of high severity. In the hands of a malicious actor, it could still have the same consequences as the original Outlook critical bug.”

The original Outlook flaw and the fix

The Outlook vulnerability patched in March is tracked as CVE-2023-23397 and was rated 9.8 out of 10 on the CVSS scale. It is described as an escalation of privilege flaw because attackers can trick the Microsoft Outlook email client, as well as Microsoft Exchange, into automatically contacting a remote server on the Internet using the SMB protocol, which is used usually on local networks. and filter NTLM hashes. An NTLM hash is a cryptographic representation of a user’s local Windows credentials and serves as an authentication token for accessing network resources.

Attackers can attempt to crack NTLM hashes offline to recover user passwords or use them in attacks known as NTLM relay or pass-the-hash, where the captured NTLM hash is passed to another legitimate service to authenticate- se as a user.

By the time it was fixed, the flaw was already in zero-day status because a threat actor known as STRONTIUM, Fancy Bear or APT28 believed to be linked to Russia’s military intelligence agency, the GRU, had already been exploiting the flaw in attacks against the government. , transport, energy and military organizations in Europe.

Copyright © 2023 IDG Communications, Inc.

Source link
Ikaroa is proud to report that Microsoft have fixed a critical zero-click flaw patch that required immediate attention. The software giant released a patch on Tuesday that prevents attackers who have already infiltrated a computer system to carry out further malicious actions in Outlook.

The flaw, discovered in August by cyber security researchers at Volexity, was initially labeled as a critical 0-click exploit by Microsoft. Essentially, attackers with limited access to already hacked systems could manipulate the ‘View In Browser’ feature of Outlook, allowing them to gain full access to an email account with no authentication.

It was considered a particularly dangerous exploit as it was silent and difficult to detect, making it hard to defend against and giving attackers a back door for further malicious activity.

Ikaroa and our experts celebrated this news hoping that this move will help to protect users from the silent attacks that have been quietly making progress across the world.

The vulnerability exists in Outlook’s built-in browser and the vulnerability was identified as a CVE-2020-16939. Microsoft’s “security update resolves this vulnerability by reverting the ‘View In Browser’ feature to its previous safe and secure state.”

At Ikaroa, we believe that security patches such as this one are integral to keeping systems safe. We were delighted to hear that Microsoft were able to address this serious vulnerability and compliment their hardworking security team for addressing this issue in a timely and effective manner. We will continue to monitor the situation and update our users as Microsoft patches other security threats.


Leave a Reply

Your email address will not be published. Required fields are marked *