Recent findings have revealed two security vulnerabilities in Microsoft Windows that have since been patched but could have been exploited by attackers to carry out remote code execution (RCE) on Outlook email clients without any user intervention. This information was disclosed by Akamai researcher Ben Barnea, who discovered the flaws and detailed their implications in a two-part report shared with The Hacker News.
The vulnerabilities in question were addressed by Microsoft in their security updates for August and October 2023. The first vulnerability, tracked as CVE-2023-35384, pertains to a security feature bypass related to Windows HTML platforms, with a CVSS score of 5.4. The second, CVE-2023-36710, scored 7.8 on the CVSS scale and involves a remote code execution issue within the Windows Media Foundation Core.
CVE-2023-35384 is described as a bypass of a critical vulnerability that Microsoft had previously patched in March 2023, known as CVE-2023-23397, which had a CVSS score of 9.8. This earlier vulnerability allowed for privilege escalation, potentially leading to the theft of NTLM credentials and facilitating unauthorized access through relay attacks. Notably, a Russian threat actor group, APT28, has been reported to be actively exploiting these vulnerabilities to compromise Exchange server accounts.
Barnea’s analysis revealed that CVE-2023-35384 allows malicious actors to manipulate the parsing of paths sent to Outlook clients, exploiting a flaw in how specific URLs are validated. This vulnerability can facilitate the leakage of NTLM credentials and, when linked with the sound parsing flaw from CVE-2023-36710, can lead to the downloading of a custom sound file that executes code without user intervention upon being played by Outlook’s reminder feature.
CVE-2023-36710 specifically affects the Audio Compression Manager, a legacy Windows multimedia framework, and is rooted in an integer overflow vulnerability. Barnea noted that the flaw could be triggered by utilizing specific codecs within large audio files, illustrating the method of exploitation that attackers might leverage.
As organizations seek to defend against these vulnerabilities, experts recommend implementing strategies such as microsegmentation to restrict outgoing SMB connections to public IP addresses. Furthermore, companies are advised to disable NTLM or include users in the Protected Users security group, which prevents the use of NTLM as an authentication mechanism.
The details surrounding these vulnerabilities underscore the sophisticated techniques that adversaries may employ, including initial access through phishing and privilege escalation, highlighting the necessity for robust cybersecurity measures. Business owners should remain vigilant and proactive in addressing these challenges to safeguard their email systems against evolving threats.
