Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File Exploitation

December 19, 2023

This week, researchers revealed details about two security flaws found in Microsoft Outlook that when combined, enable attackers to execute arbitrary code on the affected systems without requiring any user intervention. The unique aspect of these vulnerabilities is that they can both be activated via a sound file.

The first of the two vulnerabilities, identified as CVE-2023-35384, is a second patch bypass for a critical privilege escalation flaw in Outlook that was initially patched by Microsoft in March. This vulnerability was discovered by researchers at Akamai.

The second flaw, tagged as CVE-2023-36710, is a remote code execution (RCE) vulnerability associated with a feature of Windows Media Foundation. This flaw is related to how Windows parses sound files.

In a two-part blog post, Akamai stated, "An attacker on the Internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients." Microsoft released a patch for CVE-2023-35384 in August after Akamai researchers informed the company about the flaw.

This flaw arises from a security feature in Outlook that fails to properly validate if a requested URL is in a local machine zone, intranet zone, or another trusted zone. The vulnerability can be activated by sending an email reminder with a custom notification sound to an affected Outlook client, according to Akamai.

Akamai explained that an attacker can specify a UNC path leading the client to retrieve the sound file from any SMB server on the Internet, rather than from a safe or trusted zone. To activate the second vulnerability, an attacker would use the first vulnerability to send a specially crafted email that downloads a malicious sound file from an attacker-controlled server.

When the downloaded sound file is autoplayed, it can result in code execution on the victim machine. Akamai's security researcher, Ben Barnea, stated that an attacker can exploit both vulnerabilities individually or in a chained manner.

"While each one of them is a somewhat 'weak' vulnerability, by chaining them together against Outlook we achieved a powerful zero-click RCE vulnerability," he says.

It's worth noting that this is the second time Akamai researchers have found a way around a March patch that Microsoft issued for the Outlook privilege-escalation flaw tracked as CVE-2023-23397.

The original bug allowed attackers to use a sound file to steal a user's password hash and authenticate to services that the user has access to. As of Dec. 4, Microsoft warned of Russia's Fancy Bear group (aka Forest Blizzard) actively exploiting the flaw to gain unauthorized access to email accounts in Exchange server.

Microsoft's original patch was designed to ensure that before Outlook handles emails containing custom notification reminders, it first verifies the safety of the URL for the sound file. The patch was supposed to ensure that if the URL for the custom notification sound was brought in from an untrusted/unverified domain, Outlook's default notification sound is used instead.

However, Akamai researchers probing the patch discovered they could bypass it by adding a single character to a function in the Microsoft update. This discovery led Microsoft to assign the issue a separate CVE (CVE-2023-29324) and issue a patch for it in May.

The new bypass that Akamai is detailing this week also arises from an issue in the original patch. Barnea explained that the patch for the original vulnerability used a function called 'MapUrlToZone' to mitigate the abuse of the custom reminder sound feature.

"The function is a complex one and increases the attack surface available to the attacker. As a result, the patch added more code that also had vulnerabilities in it," he says. "We suggested to remove the abused feature instead of using patches, since the feature does more harm than good."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.