Recent research has uncovered a critical vulnerability in Microsoft Outlook that could enable remote code execution. Identified as CVE-2024-38021, the flaw allows attackers to execute arbitrary code on a vulnerable system without requiring any prior authentication.
By exploiting this vulnerability, malicious actors could potentially gain control of a compromised device and carry out various harmful activities, such as stealing sensitive data, installing malware, or launching further attacks.
In early 2024, Check Point research discovered a vulnerability in Outlook that could be exploited to leak local NTLM credentials and potentially execute remote code. The vulnerability was triggered when users clicked on hyperlinks pointing to remote files that included an exclamation mark.
This character transformed the file moniker into a composite moniker, bypassing Outlook’s security restrictions, which, composed of a file moniker and an item moniker, altered how Outlook parsed the link, leading to the security breach.
The Windows APIs Hlink!HlinkCreateFromString and Ole32!MkParseDisplayName, which are used to create and parse hyperlink objects, pose security risks. When a string in a certain format is passed to HlinkCreateFromString, it can be forwarded to MkParseDisplayName, which is less secure.
Both APIs warn against passing untrusted hyperlink strings, as some moniker implementations might execute actions during parsing, which could potentially lead to malicious code execution if an attacker can craft a specially formatted hyperlink.
MkParseDisplayName can pose security risks due to its handling of composite monikers. When a composite moniker is passed to this function, it triggers the BindToObject method, which interacts with the appropriate COM object for the file type.
The process can lead to security vulnerabilities. For instance, accessing a .rtf file might inadvertently spawn winword.exe, leaking local NTLM credentials.
Additionally, parsing the file can expose the system to remote code execution vulnerabilities like CVE-2023-21716, which highlight the potential dangers of using MkParseDisplayName without proper security considerations.
Microsoft has patched CVE-2024-21413 by hooking the MkParseDisplayName function within the InitDetours method, which validates a flag, BlockMkParseDisplayNameOnCurrentThreat, which, when set to true, prevents the parsing of potentially malicious moniker strings.
The flag is set by the Microsoft Office wrapper function, Hlink! HlinkCreateFromString is only for Outlook applications, effectively blocking malicious moniker string parsing in Outlook.
Microsoft also patched CVE-2024-38021 by blocking composite moniker parsing within image tag URLs. However, a new vulnerability was discovered where passing a simple file moniker still allowed NTLM credential leakage.
It suggests that the patch did not fully address all potential security risks associated with moniker handling, while its official response was to advise users to follow security best practices and avoid trusting content from unknown sources.
Morphisec’s provides a proactive defense by creating a virtual patch that shields applications from exploitation attempts, giving organizations time to deploy official patches, which significantly reduces the attack surface and offers organizations crucial protection against these types of vulnerabilities.