Attackers are targeting a pair of Windows bugs that can be exploited simply by sending a malicious email to the victim, allowing the attacker to steal the users Windows credentials. A vulnerability in the MSHTML / EdgeHTML component used in Microsoft products such as Internet Explorer (now retired), WebBrowser control, Microsoft Edge, and other legacy applications can be exploited to bypass a previous patch released in March to carry out zero-click attacks in the Windows Outlook client. The newly discovered vulnerability tracked as CVE-2023-29324 has been given a medium severity rating and a CVSS base score of 6.5. However, despite this low rating, this flaw can be used to bypass security features which then allows attackers to exploit a critical severity Microsoft Outlook vulnerability, CVE-2023-23397, in what were previously thought to be fixed systems.
CVE-2023-29324 affects the MapUrlToZone function in the Windows API causing it to incorrectly accept a remote path as a local one. This handling error means the previously implemented mitigation of CVE-2023-23397 that uses MapUrlToZone now can be easily bypassed by a remote, unauthenticated attacker, with no interaction required by the user. This legacy flaw affects all Windows versions of the Outlook client. Exploitation of this flaw is known and detected, enabling attackers to connect the vulnerable Outlook client to a server they control. This is performed by sending a malicious email to the victim in a zero-click attack, meaning no user interaction is required, and the attack can take place even before the email is viewed in the Preview Pane. A connection is made from the target to an external UNC that will provide the attacker with access to the Net-NTLMv2 hash of the victim. This allows the attacker to authenticate as their victim in an NTLM Relay attack which can be used to target another service.
Microsoft have informed users that in order to be fully protected the updates patching both CVE-2023-29324 and CVE-2023-23397 need to be applied, and advised that the IE cumulative updates will protect users from these vulnerabilities. The most recent updates available for Microsoft products and Windows systems can be found listed online on the Microsoft Security Update Guide.