Recent revelations from cybersecurity experts have highlighted a serious vulnerability within the Windows MSHTML platform, now patched following its discovery. This flaw allows malicious actors to circumvent established integrity protections on targeted systems, posing a critical risk to users.
The vulnerability, identified as CVE-2023-29324 with a CVSS score of 6.5, has been classified as a security feature bypass. Microsoft took action to remediate this issue during its May 2023 Patch Tuesday updates, following its report by Akamai researcher Ben Barnea.
Barnea indicated that all Windows versions are susceptible to this vulnerability; however, he noted that Exchange servers updated in March 2023 do not exhibit the vulnerability due to the omission of the affected feature. This development represents a significant risk, as it could allow an unauthenticated attacker online to compel an Outlook client to connect to a server controlled by the attacker, leading to potential theft of NTLM credentials—an alarming prospect for businesses relying on Windows systems.
The nature of this security breach is particularly concerning, as it is classified as a zero-click vulnerability. This means that a user does not need to engage with any malicious content for the exploit to activate, simplifying the attack vector for adversaries. The attack may utilize tactics classified under initial access, as defined by the MITRE ATT&CK framework, where adversaries can gain access to a network without prior credentials.
Furthermore, CVE-2023-29324 serves as a bypass for prior security measures Microsoft implemented in response to a related vulnerability, CVE-2023-23397. This critical flaw in Outlook had previously been leveraged by Russian threat actors engaging in targeted attacks against European organizations since April 2022. The interconnected nature of these vulnerabilities underscores the evolving threat landscape businesses must navigate.
Akamai’s investigation reveals that the root of the issue stems from complex handling of paths within the Windows operating system. This flaw allows attackers to create malicious URLs capable of evading standard internet security checks, thus exacerbating the vulnerability. As Barnea reflected, this situation illustrates the unintended consequences that can arise from patching efforts, potentially opening new avenues for exploitation.
In light of these developments, Microsoft recommends that users apply cumulative updates for Internet Explorer to protect against vulnerabilities within the MSHTML platform and the scripting engine. Businesses are urged to take these preventive measures seriously to fortify their defenses against evolving cyber threats, especially considering the potential implications of credential theft inherent in this exploit.