Ben Barnea of Akamai reveals the details of a new Zero-Click vulnerability for Windows.
Cybersecurity researchers reported on a recently patched vulnerability in the MSHTML platform of the Windows operating system that could be used to bypass integrity protection mechanisms on target computers.
The vulnerability has been identified as CVE-2023-29324 , with a CVSS rating of 6.5, and has been described as a security bypass. Microsoft fixed it as part of the May 2023 monthly security updates.
Ben Barnea of Akamai, who first discovered and reported the bug, noted that all versions of Windows are vulnerable, but Microsoft Exchange servers with the March update no longer contain the vulnerable component.
“An unauthorized Internet attacker could use this vulnerability to force the Outlook client to connect to a server controlled by the same attacker. This led to the theft of NTLM credentials. It is important to note that this is a Zero-Click vulnerability, meaning it worked without any user interaction,” Barnea explained.
It is also worth noting that the CVE-2023-29324 vulnerability is a kind of workaround for another vulnerability, CVE-2023-23397, already patched in March - which, according to Akamai, was actively exploited last year by supposedly Russian hackers to escalate privileges in Outlook and steal data. .
Akamai said the issue is related to complex path handling in Windows, which allows an attacker to create a malicious URL that can bypass internet zone security checks.
“This vulnerability is another example of how patch analysis leads to new vulnerabilities and workarounds,” said Barnea. "This is a zero-click attack on the media parsing surface that could potentially contain critical memory corruption vulnerabilities."
For complete protection, Microsoft recommends that users also install cumulative updates for Internet Explorer to fix vulnerabilities in the MSHTML framework and script engine.