Microsoft patches zeroday in Outlook that can be exploited without user action
The Windows version of Outlook contained a critical vulnerability that could be exploited by sending an email that did not have to be opened by the user. In practice, the zero-day was misused to authenticate with other systems. Microsoft has released a patch.
CVE-2023-23397 has a CVSS score of 9.8 and is an elevation-of-privilege vulnerability. To exploit the vulnerability, attackers had to send an email with certain mapi properties and an unc path to an attacker-controlled server. The vulnerability allowed attackers to abuse Outlook’s NTLM authentication to authenticate as the user on other services.
Microsoft says that the vulnerability does not work on Microsoft 365 services, or on the Android, iOS or Mac versions. This is a serious vulnerability, because emails that abuse the vulnerability are immediately processed by Outlook, even if the user has not yet seen the email.
The company has notified certain customers with a threat analytics report, that has been viewed by Bleeping Computer. According to this report, Russia’s GRU intelligence service allegedly exploited the leak between April and December 2022 to attack government, energy, transportation, and military organizations in fewer than fifteen countries. The hacker group, known as APT28 or Fancy Bear, among others, is said to have infiltrated networks with the vulnerability and possibly stolen emails.
Microsoft recommends that users update Outlook immediately to patch the vulnerability. If this does not work, the company recommends adding users to the Protected Users group and blocking outgoing SMB requests to TCP port 445. Of a PowerShell script users can check whether they have been affected by the vulnerability. Microsoft discovered the vulnerability with CERT-UA, Ukraine’s Computer Emergency Response team.