Microsoft Outlook Zero-Click vulnerability can be attacked by an audio file
Take action: It may be a good idea to read emails on the Webmail interface for a while, until Microsoft issues another patch for Outlook. And when the patch is issued, don't ignore it - patch immediately.
Learn More
Akamai's research team uncovered two significant security vulnerabilities in Microsoft Outlook that present a unique threat due to their potential to be exploited via a sound file.
- The first vulnerability, tracked as CVE-2023-35384 (CVSS score 5.4), involves a critical privilege escalation flaw in Outlook. This issue, initially patched by Microsoft in March, was later found to have a bypass, leading to a second patch. The flaw originates from a security oversight in Outlook, where the software fails to properly verify if a requested URL for a custom notification sound is from a secure source. Attackers can exploit this by embedding a Universal Naming Convention (UNC) path in an email, leading Outlook to retrieve a sound file from an unsafe internet location.
- The second vulnerability, tracked as CVE-2023-36710 (CVSS score 7.8), is a remote code execution (RCE) issue within a component of the Windows Media Foundation. This vulnerability is particularly concerning as it deals with how Windows processes sound files, and it can be triggered when an affected Outlook client automatically plays a malicious sound file.
By combining these two vulnerabilities, attackers can execute arbitrary code remotely on the victim's machine without any user interaction, hence the term "zero-click." The attack involves sending a specially crafted email that downloads a harmful sound file from an attacker-controlled server, which, when played, leads to code execution on the victim's device.
The security researcher from Akamai noted that while each vulnerability on its own might be considered weak, their combination against Outlook creates a potent zero-click RCE vulnerability.
Microsoft's response to these vulnerabilities involved issuing patches. However, the researchers at Akamai discovered a way to bypass the original patch for the CVE-2023-35384 vulnerability by adding a single character to a function in the Microsoft update, leading to the need for further patching. They suggested that removing the feature abused by attackers might be more effective than patching it, as the feature's complexity increases the attack surface.
