Why Microsoft simply patched a patch that squashed an under-attack Outlook bug

Microsoft in March fastened an attention-grabbing safety gap in Outlook that was exploited by miscreants to leak victims’ Home windows credentials. This week the IT large fastened that repair as a part of its month-to-month Patch Tuesday replace.

To remind you of the unique bug, tracked as CVE-2023-23397: it was potential to ship somebody an e-mail that included a reminder with a customized notification sound. That customized sound could possibly be specified as a URL path throughout the e-mail.

If a miscreant rigorously crafted a mail with that sound path set to a distant SMB server, when Outlook fetched and processed the message, and mechanically adopted the trail to the file server, it could hand over the consumer’s Internet-NTLMv2 hash in an try to log in. That might successfully leak the hash to an outdoor celebration, who might doubtlessly use the credential to entry different assets as that consumer, permitting the intruder to discover inner community programs, steal paperwork, impersonate their sufferer, and so forth.

The patch from a few months in the past made Outlook use the Home windows perform MapUrlToZone to examine the place a notification sound path was actually pointing, and if it was out to the web, it could be ignored and the default sound would play. That ought to have stopped the consumer connecting to a distant server and leaking hashes.

It turned out this MapUrlToZone-based safety could possibly be bypassed, prompting Microsoft to must shore up its March repair in Could. The unique bug was being exploited within the wild, and so when the patch for it landed, it acquired everybody’s consideration. And that spotlight helped reveal that the repair was incomplete.

And if it was left incomplete, whoever was abusing the unique bug might use the opposite vulnerability to get across the unique patch. So to be clear, it isn’t that the repair for CVE-2023-23397 did not work – it did – it simply wasn’t sufficient to completely shut the customized sound file gap.

“This vulnerability is one more instance of patch scrutinizing resulting in new vulnerabilities and bypasses,” mentioned Akamai’s Ben Barnea, who noticed and reported the MapUrlToZone bypass.

“Particularly for this vulnerability, the addition of 1 character permits for a important patch bypass.”

Crucially, whereas the primary bug was in Outlook, this second concern with MapUrlToZone lies in Microsoft’s implementation of that perform within the Home windows API. Which means the second patch will not be for Outlook however for the underlying MSHTML platform in Home windows, and all variations of the OS are affected by that bug, Barnea wrote. The issue is {that a} maliciously constructed path may be handed to MapUrlToZone in order that the perform determines the trail is to not the exterior web when it truly is when the applying involves open the trail.

Based on Barnea, emails can include a reminder that features a customized notification sound specified as a path utilizing an prolonged MAPI property utilizing PidLidReminderFileParameter.

“An attacker can specify a UNC path that will trigger the consumer to retrieve the sound file from any SMB server,” he defined. “As a part of the connection to the distant SMB server, the Internet-NTLMv2 hash is shipped in a negotiation message.”

That flaw was unhealthy sufficient to earn a CVSS severity score of 9.8 out of 10 and had been exploited by a Russia-linked crew for a couple of yr by the point the repair was issued in March. The cyber-gang used it in assaults towards organizations in European governments in addition to transportation, vitality, and navy areas.

To discover a bypass for Microsoft’s unique patch, Barnea wished to craft a path that MapUrlToZone would label as native, intranet, or a trusted zone – that means Outlook might safely comply with it – however when handed to the CreateFile perform to open, would make the OS go hook up with a distant server.

Finally he discovered that miscreants might change the URL in reminder messages, which duped MapUrlToZone checks into seeing distant paths as native ones. And it could possibly be executed with a single keystroke, including a second ” to the common naming conference (UNC) path.

“An unauthenticated attacker on the web might use the vulnerability to coerce an Outlook consumer to hook up with an attacker-controlled server,” Barnea wrote. “This leads to NTLM credentials theft. It’s a zero-click vulnerability, that means it may be triggered with no consumer interplay.”

He added that the issue seems to be the “results of the advanced dealing with of paths in Home windows. … We imagine this type of confusion can doubtlessly trigger vulnerabilities in different applications that use MapUrlToZone on a user-controlled path after which use a file operation (equivalent to CreateFile or the same API) on the identical path.”

The flaw, CVE-2023-29324, has a CVSS severity rating of 6.5. Microsoft is recommending organizations repair each that vulnerability – a patch was issued as a part of Patch Tuesday this week – in addition to the sooner CVE-2023-23397.

Barnea wrote that he hoped Microsoft will take away the customized reminder sound characteristic, saying it poses extra safety dangers than any potential worth to customers.

“It’s a zero-click media parsing assault floor that would doubtlessly include important reminiscence corruption vulnerabilities,” he wrote. “Contemplating how ubiquitous Home windows is, eliminating an assault floor as ripe as that is might have some very optimistic results.” ®