Microsoft's mitigation for a critical Outlook zero-day vulnerability that it fixed in March was insufficient, according to new research by Akamai Technologies.
While analyzing the patch for a Microsoft Outlook elevation of privilege vulnerability, tracked as CVE-2023-23397, Akamai researcher Ben Barnea discovered a way to bypass the mitigation using another critical flaw in an Internet Explorer component. Akamai reported the new vulnerability, CVE-2023-29324, to Microsoft in late March, and it was addressed in May's Patch Tuesday updates.
Akamai applauded Microsoft for its prompt response, but said the research speaks to a broader issue of increasingly new vulnerabilities and bypasses that stem from incomplete or insufficient patches for older flaws. "This vulnerability is yet another example of patch scrutinizing leading to new vulnerabilities and bypasses," Barnea wrote in a blog post. "Specifically for this vulnerability, the addition of one character allows for a critical patch bypass."
In March, for example, Magniber ransomware actors discovered a way to bypass Microsoft's remediation for a SmartScreen vulnerability. And in December, Play ransomware operators developed a workaround for Microsoft's ProxyNotShell mitigations for Exchange servers.
Now, Barnea bypassed previous mitigation for CVE-2023-23397, which Russian threat actors had actively exploited. In March, Microsoft revealed that the flaw was used in targeted attacks against European organizations in the government, transportation, energy and military sectors for around one year.
It received a critical CVSS score of 9.8 and allowed for zero-click remote exploitation. Threat actors could exploit the vulnerability by sending an email in Outlook containing a reminder with a custom notification sound, which could be retrieved from untrusted servers. In addition, exploitation of the vulnerability could lead to Windows New Technology LAN Manager (NTLM) credential theft. Barnea warned that an "unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server."
Microsoft's March mitigation addressed "the vulnerability by only using the path to play a sound when from a local, intranet or trusted network source," according to the Microsoft Security Response Center.
However, the new flaw causes a Windows API function -- MapUrlToZone, a security measure that was used to mitigate CVE-2023-23397 -- to incorrectly think a remote path is a local one. Barnea emphasized how the addition of one character tricked MapUrlToZone into thinking it was a local path, allowing for a critical patch bypass. His bypass simulation also used the CreateFile function to open a handle to the sound file.
In the end, Barnea was able to find a path that MapUrlToZone considered local, intranet or a trusted source and that CreateFile treated as an internet domain. By exploiting the original vulnerability with the bypass mitigation, Barnea triggered a calendar event in Outlook that lead to NTLM authentication against a remote server.
Akamai raised broader concerns over using the security measure.
"We believe this kind of confusion can potentially cause vulnerabilities in other programs that use MapUrlToZone on a user-controlled path and then use a file operation (such as CreateFile or a similar API) on the same path. Also, we can not rule out other issues arising in programs that call CreateUri," Barnea wrote in the blog post.
Akamai told TechTarget Editorial that deeper technical analysis could have helped with fully understanding the issue related to the original vulnerability, but it would require much more time.
"Both MapUrlToZone and CreateUri, which is called by MapUrlToZone, are complex functions that parse inputs. Reversing such functions requires much more time," Akamai said in an email.
Based on the research, Akamai believes the custom reminder sound feature should be fully removed, "as it poses more security risks than it provides value to users."
"It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities. Considering how ubiquitous Windows is, eliminating an attack surface as ripe as this is could have some very positive effects," the blog post read.
Barnea warned that all Windows versions and all Outlook clients are affected by CVE-2023-29324. He added that according to Microsoft, March updates for Exchange Server eliminated the custom sound file feature. "Thus, only machines running Outlook clients with an unpatched Exchange server are vulnerable to this issue," Barnea wrote.
Disagreement over severity
Initially, CVE-2023-29324 received a CVSS score of 7.5. However, that severity rating was changed Tuesday when Microsoft released its Patch Tuesday updates. The Akamai research team issued a statement opposing the change.
"We found a remotely exploitable, 0-click vulnerability that can be used to bypass the patch. More precisely, we found that the addition of a single character renders the patch useless. With this finding, we performed the process of responsible disclosure with Microsoft and provided all necessary details as well as a proof of concept of exploitation. According to information shared with us, by Microsoft, beforehand (and seemingly with others as well), the vulnerability indeed received critical severity and a CVSS score of 7.5," the statement said, linking to a Trend Micro Zero Day Initiative post that rated CVE-2023-29324 as critical with a 7.5 CVSS score.
"However, on Patch Tuesday Microsoft ranked the vulnerability as important and reduced its CVSS to 6.5. Our research indicates that the new vulnerability re-enables the exploitation of a critical vulnerability that was seen in the wild and used by APT operators. We still believe our finding is of high severity. In the hands of a malicious actor, it could still have the same consequences as the critical original Outlook bug."
Contacted by TechTarget Editorial, a Microsoft spokesperson provided the following statement: "We released a security update CVE-2023-29324 on May 9. Customers who apply the update, or have automatic updates enabled, will be protected."
Arielle Waldman is a Boston-based reporter covering enterprise security news.