Zero-Click Windows Vulnerability Allows NTLM Credential Theft

May 10, 2023

Cybersecurity researchers have recently disclosed information about a now-fixed security vulnerability in the Windows MSHTML platform. This flaw could have been exploited to bypass integrity protections on targeted systems. Identified as CVE-2023-29324 (CVSS score: 6.5), the issue is classified as a security feature bypass and was resolved by Microsoft in its May 2023 Patch Tuesday updates.

Akamai security researcher Ben Barnea, who discovered and reported the bug, emphasized that all Windows versions are affected. However, Microsoft and Exchange servers with the March update do not include the vulnerable feature. Barnea explained, "An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server. This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction."

It is important to note that CVE-2023-29324 serves as a bypass for a fix that Microsoft implemented in March 2023 to address CVE-2023-23397. This critical privilege escalation vulnerability in Outlook was exploited by Russian threat actors in attacks targeting European entities since April 2022.

According to Akamai, the problem originates from the complicated handling of paths in Windows, which enables a threat actor to create a malicious URL capable of evading internet security zone checks. Barnea added, "This vulnerability is yet another example of patch scrutinizing leading to new vulnerabilities and bypasses. It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities."

To ensure complete protection, Microsoft recommends users install Internet Explorer Cumulative updates to address vulnerabilities in the MSHTML platform and scripting engine.

Related News

• Microsoft Offers Guidance on Detecting Outlook Zero-Day Exploits
• Microsoft Warns of Outlook Zero-Day Exploitation, Offers Detection Script
• Microsoft Outlook Vulnerability Exploited in NTLM-Relay Attacks
• Microsoft Patches Outlook Zero-Day Exploited by Russian Hackers
• Microsoft March 2023 Patch Tuesday Fixes 2 Zero-Days, 83 Flaws

Latest News

• Microsoft Addresses Secure Boot Zero-Day Exploited by BlackLotus Malware
• Microsoft's May 2023 Patch Tuesday Addresses 3 Zero-Days and 38 Flaws
• ICS Patch Tuesday: Siemens and Schneider Electric Address Multiple Vulnerabilities
• AndoryuBot DDoS Botnet Exploits Ruckus Wireless Admin Vulnerability
• Iranian Hackers Target PaperCut Vulnerability in Latest Attack Wave