How Outlook notification sounds can lead to zero-click exploits
A researcher found two Microsoft vulnerabilities which could be combined to achieve zero-click remote code execution.
An Akamai researcher has found two vulnerabilities in Windows that can be combined to achieve a full, zero-click remote code execution (RCE) in Outlook.
Both vulnerabilities were responsibly disclosed to Microsoft and addressed in the August 2023 and October 2023 patch Tuesdays, so the researcher felt it was no problem to disclose their findings.
The first vulnerability, listed as CVE-2023-35384, is a Windows HTML platforms security feature bypass vulnerability. It allows an attacker to craft a malicious file or send a malicious URL that would evade Security Zone tagging, resulting in a loss of integrity and availability of security features utilized by browsers and some custom applications (including Outlook).
This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended. Basically the exploit falsely tells the system that the file or URL is local so it has a higher trust factor. For more technical details and the methodology used to find the vulnerability we refer to the researchers post.
The second vulnerability, listed as CVE-2023-36710, is a Windows Media Foundation Core Remote Code Execution vulnerability where the word Remote refers to the location of the attacker. The attack itself is carried out locally.
As part of the process of playing a WAV (Waveform Audio File), the researcher found it was possible to cause two out-of-bounds writes for WAV files with a certain size. An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions.
To chain these vulnerabilities together, an attacker would have to send an affected Outlook client an email reminder with a custom notification sound. By using the first vulnerability the client would retrieve the sound file from any SMB server. The Server Message Block protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.
And when the specially crafted sound file is auto-played this can lead to code execution on the victim’s machine without interaction (zero-click).
Is this something to worry about?
Personally, I don’t think so. Although the research was very thorough and interesting, creating a suitable sound file is challenging. The researcher noted that the smallest possible file size with IMA ADP codec is 1 GB and that it might not be possible to achieve in some codecs, like MP3.
Also, patches for the vulnerabilities have been available for months. It does prove however that with some effort it is possible to find these type of vulnerabilities, and there are undoubtedly more out there.
To demonstrate that fact, it is good to know that CVE-2023-35384 is the second patch bypass for CVE-2023-23397, which was discovered by the same researcher and patched by Microsoft as part of its May 2023 security updates.
The researcher criticized Microsoft’s patching methods:
“As a result, the patch added more code that also had vulnerabilities in it. We suggested to remove the abused feature instead of using patches, since the feature does more harm than good.”
So, instead of rooting out the problem, Microsoft added more code and with that, made the attack surface larger. A problem we unfortunately encounter often.
If your organization has been unable to patch these vulnerabilities, you can mitigate the risks by using microsegmentation to block outgoing SMB connections to remote public IP addresses. Microsegmentation refers to an approach to security that involves dividing a network into segments and applying security controls to each segment based on the segment’s requirements.
Or use the ThreatDown DNS filtering module to block suspicious web domains and manage specific site restrictions.