Among the large batch of security patches that Microsoft released on Tuesday was an especially nasty hole within Microsoft’s Outlook email client, one that would allow an attacker full access by simply sending the user an email, even if the recipient chooses to not open the message.
If the attack is successful, the end user would have no way of knowing that they have been attacked. “You will not know. You will not experience anything,” said Michael Gorelik, the chief technology officer at Morphisec, the security firm that says it discovered the hole and reported it to Microsoft.
The risk is still there
Of far greater concern, Gorelik said, is that this flaw may indicate the existence of similar zero-click holes that Microsoft has yet to patch.
“There are at least two more confirmed CVEs that have yet to be patched, (both of) which lead to full NTLM [Network Trust Level Manager] compromise, so the risk is still there,” Gorelik told CSO Online on Wednesday.
The hole, which Microsoft has dubbed CVE-2024-38173, allows any email malware to be activated without the recipient opening the message, courtesy of Outlook’s popular email preview function. But even for those who are not using mail preview, the malware is still likely to be activated, as most corporate employees would likely open those messages. They know to not open an unknown attachment or click on an unexpected link, but this attack methodology requires neither of those actions.
“The discovery of CVE-2024-38173 highlights a critical flaw in the form-based architecture of Outlook, where an attacker with access to an account can craft and propagate a malicious form that evades detection due to a faulty deny list implementation,” Gorelik said.
Form security at fault
But Gorelik stressed that Tuesday’s patch does not likely resolve the vulnerability.
“This vulnerability is the third in a series, indicating a persistent issue with Microsoft’s handling of form security. To mitigate the risk of exploitation, enterprises should enforce Kerberos authentication by default and block NTLM where possible,” he said. “Additionally, hardening endpoints and restricting certain protocols, such as SMB [server message block], are crucial steps.”
The problem with the remaining holes is that they all involve means of bypassing the Microsoft deny list, and to therefore allow a custom form to automatically execute, Gorelik explained. He suggested blocking all SMB outbound permissions as well as strictly enforcing SMB signing.
One strategy to defend against the issues, he said, is to leverage AMTD, which is a concept from Gartner called Automated Moving Target Defense, in which system configurations, network characteristics, or software are dynamically modified to disrupt attackers’ efforts to discover and exploit vulnerabilities.
It may get worse
The NTML matter is something that Microsoft has wrestled with before. And in its blog post, Morphisec offered ways that these problems could get much worse.
It said that the holes leveraged “techniques to hijack and leak NTLM. Both vulnerabilities are critical, as attackers could theoretically chain them and build a full attack chain allowing the adversary complete control of the system without the need for prior authentication.”
Go to Source
Author:
