Security News > 2024 > July > New Specula tool uses Outlook for remote code execution in Windows
Microsoft Outlook can be turned into a C2 beacon to remotely execute code, as demonstrated by a new red team post-exploitation framework named "Specula," released today by cybersecurity firm TrustedSec.
This C2 framework works by creating a custom Outlook Home Page using WebView by exploiting CVE-2017-11774, an Outlook security feature bypass vulnerability patched in October 2017.
Even though Microsoft patched the flaw and removed the user interface to show Outlook home pages, attackers can still create malicious home pages using Windows Registry values, even on systems where the latest Office 365 builds are installed.
As Trusted explains, Specula runs purely in Outlook's context, and it works by setting a custom Outlook home page via registry keys that call out to an interactive Python web server.
The attacker-controlled Outlook home page is designed to serve custom VBscript files that an attacker can use to execute arbitrary commands on compromised Windows systems.
As U.S. Cyber Command warned five years ago, the CVE-2017-11774 Outlook vulnerability was also used to target U.S. government agencies.
News URL
Related news
- New OpenSSH Vulnerability Discovered: Potential Remote Code Execution Risk (source)
- Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk (source)
- July Windows Server updates break Remote Desktop connections (source)
- New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-10-13 | CVE-2017-11774 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Outlook 2010/2013/2016 Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability." | 7.8 |