[German]Microsoft has again delivered a fix for an Outlook vulnerability with Windows updates as of May 9, 2023. This update is intended to close a vulnerability in Outlook that was already incompletely patched in March 2023. Russian hackers have exploited this vulnerability in the past.
Advertising
The old the Outlook vulnerability CVE-2023-2339
In March 2023, Microsoft had publicly disclosed a critical vulnerability CVE-2023-23397, which allows third-party privilege exploitation, and supposedly closed it with an update (see Patch critical EvP vulnerability CVE-2023-23397 in Outlook). The vulnerability in question was CVE-2023-23397 in Microsoft Outlook. This is an elevation of privilege (EvP) vulnerability that has received a CVEv3 score of 9.8, meaning it is rated extremely critical.
Attackers can send a malicious email to a vulnerable version of Outlook. When the email is loaded from the server and processed in the client, a connection can be established to an attacker-controlled device to expose the email recipient's Net-NTLMv2 hash. The attacker can use that hash to authenticate as the victim's recipient in an NTLM relay attack, Microsoft said.
Microsoft released security updates for Outlook 2016 (KB5002254) and for Outlook 2013 (KB5002265) on March 14, 2023 (see Patchday: Microsoft Office Updates (March 14, 2023)). However, only Outlook systems that work against Exchange mailboxes were affected. Microsoft had not only informed Exchange administrators about the vulnerability on the March 2023 patchday, but also published a check script (see the blog post Exchange Server Security Updates (March 14, 2023)).
Vulnerability patched incomplete
In the blog post Outlook vulnerability CVE-2023-23397 not fully patched I had then pointed out that the patch was incomplete. The attack can still be executed with somewhat modified emails. Ben Barnea from Akamai points out on Twitter that he found a bypass for the March 2023 patch from Microsoft.
Advertising
Ben Barnea writes that according to the information shared by Microsoft in advance (and apparently by others as well), the vulnerability was indeed rated critical and given a CVSS score of 7.5. However, on Patch Tuesday, Microsoft rated the vulnerability as important and lowered the CVSS score to 6.5 – an explanation is missing. Ben writes on the matter:
"Our research indicates that the new vulnerability allows exploitation of a critical vulnerability that has been observed in the wild and exploited by APT (Advanced Persistent Threat) operators. We continue to believe that our discovery is of great consequence. In the hands of a malicious actor, it could have the same consequences as the critical original Outlook bug."
The details are described in the Akamai blog post From One Vulnerability to Another: Outlook Patch Analysis Reveals Important Flaw in Windows API. Additional articles can be found on Darkreading and The Record.
New fix for vulnerability CVE-2023-29324
As of May 9, 2023, Microsoft then added text to the support post Microsoft Mitigates Outlook Elevation of Privilege Vulnerability with the following content:
May 9, 2023 update: Releases for Microsoft Products has been updated with the release of CVE-2023-29324 – Security Update Guide – Microsoft – Windows MSHTML Platform Security Feature Bypass Vulnerability
Im verlinkten Beitrag heißt es, dass Kunden die Updates für CVE-2023-23397 (Patch kommt für Outlook, siehe oben) sowie für CVE-2023-29324 (Patch für die MSHTML-Komponente, kommt per IE- und Windows Update) installieren müssen, um vollständig geschützt zu sein. Die Schwachstelle betrifft alle im Support befindlichen Windows-Versionen, bei denen die MSHTML-Komponente gepatcht wird.
Microsoft then published the list of Windows updates addressing this vulnerability (in MSHTML) under CVE-2023-29324. Furthermore, Microsoft recommends administrators who install security-only updates for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 also install the May 2023 update KB5026366 for Internet Explorer 11. The reason: The security-only updates do not include the patched IE component.
Similar articles:
Patch critical EvP vulnerability CVE-2023-23397 in Outlook
Patchday: Microsoft Office Updates (March 14, 2023)
Exchange Server Security Updates (March 14, 2023)
Outlook vulnerability CVE-2023-23397 not fully patched
Microsoft Guidelines for investigating attacks using CVE-2023-23397
Microsoft Security Update Summary (May 9, 2023)
Patchday: Windows 10-Updates (May 9, 2023)
Patchday: Windows 11/Server 2022-Updates (May 9, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (May 9, 2023)
Patchday: Microsoft Office Updates (May 9, 2023)
Microsoft Office Updates (May 2, 2023)
