Research Uncovers New Microsoft Outlook Vulnerability

Summary: Security researchers have identified a critical vulnerability in Microsoft Outlook, known as CVE-2024-38173, which allows for remote code execution through form injection. This flaw requires user interaction and has been linked to a previous vulnerability that was patched earlier in 2024.

Threat Actor: Morphisec Threat Labs | Morphisec Threat Labs
Victim: Microsoft Outlook | Microsoft Outlook

Key Point :

  • The vulnerability CVE-2024-38173 has a CVSS score of 6.7 and is characterized by “CWE-73: External Control of File Name or Path”.
  • Exploitation requires the attacker to gain access to the victim’s Outlook account and involves installing a malicious form on the victim’s system.
  • Users are advised to update their Outlook applications, block SMB traffic, and implement robust email security measures.
  • This vulnerability is considered a zero-click exploit for systems with Microsoft’s auto-open email feature enabled.

Security researchers have revealed a significant vulnerability in Microsoft Outlook. According to Morphisec Threat Labs, which discovered the flaw, CVE-2024-38173 is a Form Injection Remote Code Execution (RCE) vulnerability with a CVSS score of 6.7. 

It is similar to CVE-2024-30103, which was patched in July 2024. 

The vulnerability CVE-2024-38173 is characterized by the weakness “CWE-73: External Control of File Name or Path”. While the attack vector is classified as local, the attacker can be remote. 

The exploitation occurs locally on the victim’s machine after the attacker has gained access to the victim’s Microsoft Outlook account, typically through compromised or stolen credentials.

The attack complexity is rated as high, which implies that an attacker must take several steps to exploit the vulnerability successfully. Specifically, they need to install a malicious form on the victim’s system. 

User interaction is also required; the victim must open a malicious email and perform specific actions to trigger the vulnerability. Notably, the Preview Pane in Outlook serves as an attack vector, making it easier for attackers to exploit this flaw without requiring extensive user engagement.

“As was the case with CVE-2024-30103, this again is a zero-click vulnerability and does not require user interaction on systems with Microsoft’s auto-open email feature enabled,” Morphisec explained.

To address these vulnerabilities, users are advised to:

  1. Update Microsoft Outlook and Office applications with the latest patches

  2. Block outbound Server Message Block (SMB) traffic and enforce Kerberos authentication

  3. Implement robust email security measures, such as disabling automatic email previews

  4. Educate users on the risks of interacting with emails from unknown sources

Morphisec’s research involved analysis of Outlook’s codebase through fuzzing and reverse engineering. Their findings were reported to Microsoft as part of the responsible disclosure process. Both issues were addressed by the tech giant in its August 2024 patch release.

In addition to CVE-2024-38173, the August patch cycle also included fixes for other vulnerabilities that could potentially be chained together to provide complete control over affected systems.

Read more about these patches: Microsoft Fixes Nine Zero-Days on Patch Tuesday

Image credit: BigTunaOnline / Shutterstock.com

Source: https://www.infosecurity-magazine.com/news/research-uncovers-new-microsoft