Cyber Security Threat Summary:
“Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange servers with the March update omit the vulnerable feature. ‘An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server,’ Barnea said in a report shared with The Hacker News. ‘This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction.’” (The Hacker News, 2023).

Security Officer Comments:
The flaw is due to a complex handling of paths in Windows, which could enable a malicious threat actor to sidestep internet zone checks via a specially crafted URL. According to Akamai, CVE-2023-29324 is a bypass that was created for a fix Microsoft issued to resolve CVE-2023-23397, a critical privilege escalation flaw in Outlook which is believed to be exploited by Russian threats since April 2022 in attacks targeting European entities.

“This vulnerability is yet another example of patch scrutinizing leading to new vulnerabilities and bypasses…It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities,” stated Barnea.

Suggested Corrections:
In order to stay fully protected, Microsoft is further recommending users to install Internet Explorer Cumulative updates to address vulnerabilities in the MSHTML platform and scripting engine.

Link(s):
https://thehackernews.com/2023/05/experts-detail-new-zero-click-windows.html