Critical RCE Vulnerability in Microsoft Outlook: Easy to Exploit, Hard to Defend

February 14, 2024

A critical security flaw in Microsoft Outlook, which can be exploited by remote unauthenticated attackers, has been discovered. This vulnerability, identified as CVE-2024-21413, was found by Check Point vulnerability researcher Haifei Li. The bug allows for remote code execution (RCE) when users open emails containing malicious links through a vulnerable version of Microsoft Outlook. This is possible because the flaw also allows attackers to bypass the Office Protected View, a feature designed to block harmful content embedded in Office files by opening them in read-only mode.

The security flaw also affects the Preview Pane, making it a potential attack vector. This means that the vulnerability can be exploited even when previewing maliciously crafted Office documents. The attacks exploiting CVE-2024-21413 are low-complexity and do not require user interaction. As Microsoft explains, 'An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality.' Furthermore, an attacker could craft a malicious link that bypasses the Protected View Protocol, leading to the leaking of local NTLM credential information and remote code execution (RCE).

The vulnerability affects a range of Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019 (under extended support). Check Point has published a report where they named the vulnerability as 'Moniker Link'. This flaw allows attackers to bypass built-in Outlook protections for malicious links embedded in emails using the file:// protocol and adding an exclamation mark to URLs pointing to attacker-controlled servers.

The vulnerability was introduced due to the MkParseDisplayName unsafe API, suggesting that other software using this API could also be affected. Successful attacks exploiting CVE-2024-21413 can lead to the theft of NTLM credential information and arbitrary code execution via maliciously crafted Office documents. Check Point confirmed that the bug affects the latest Windows 10/11 + Microsoft 365 (Office 2021) environments and likely other Office editions/versions as well. They believe this issue has been overlooked for decades, as it lies in the core of the COM APIs. They strongly recommend all Outlook users to apply the official patch as soon as possible.

Initially, Microsoft updated the CVE-2024-21413 security advisory to warn that this Outlook bug was also being exploited in attacks as a zero-day before this month's Patch Tuesday. However, the company later retracted the update, stating that it 'mistakenly updated exploited flag and exploitability assessment to indicate exploitation existed.'

Latest News

• Windows Defender Zero-Day Exploited to Deliver DarkMe RAT: Microsoft Issues Patch
• Microsoft's February 2024 Patch Tuesday Addresses 73 Flaws and Two Zero-Days
• Bumblebee Malware Resurfaces after Four Months, Targets US Organizations
• CISA Adds Roundcube Webmail XSS Vulnerability to its Known Exploited Vulnerabilities Catalog
• Ivanti SSRF Flaw Exploited by Hackers to Deploy New DSLog Backdoor