Security News > 2023 > May > Why Microsoft just patched a patch that squashed an under-attack Outlook bug
If a miscreant carefully crafted a mail with that sound path set to a remote SMB server, when Outlook fetched and processed the message, and automatically followed the path to the file server, it would hand over the user's Net-NTLMv2 hash in an attempt to log in.
The patch from a couple of months ago made Outlook use the Windows function MapUrlToZone to inspect where a notification sound path was really pointing, and if it was out to the internet, it would be ignored and the default sound would play.
The problem is that a maliciously constructed path can be passed to MapUrlToZone so that the function determines the path is not to the external internet when it really is when the application comes to open the path.
"An attacker can specify a UNC path that would cause the client to retrieve the sound file from any SMB server," he explained.
To find a bypass for Microsoft's original patch, Barnea wanted to craft a path that MapUrlToZone would label as local, intranet, or a trusted zone - meaning Outlook could safely follow it - but when passed to the CreateFile function to open, would make the OS go connect to a remote server.
Microsoft is recommending organizations fix both that vulnerability - a patch was issued as part of Patch Tuesday this week - as well as the earlier CVE-2023-23397.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/05/12/microsoft_patches_second_flaw/
Related news
- Microsoft Outlook workaround fixes freezes when copying text (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks (source)
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- Microsoft says premature patch could make Windows Recall forget how to work (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-14 | CVE-2023-23397 | Authentication Bypass by Capture-replay vulnerability in Microsoft products Microsoft Outlook Elevation of Privilege Vulnerability | 9.8 |