Cybersecurity researchers have recently disclosed information about a now-fixed security vulnerability in the Windows MSHTML platform. This flaw could have been exploited to bypass integrity protections on targeted systems. Identified as CVE-2023-29324 (CVSS score: 6.5), the issue is classified as a security feature bypass and was resolved by Microsoft in its May 2023 Patch Tuesday updates.
Akamai security researcher Ben Barnea, who discovered and reported the bug, emphasized that all Windows versions are affected. However, Microsoft and Exchange servers with the March update do not include the vulnerable feature. Barnea explained, "An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server. This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction."
It is important to note that CVE-2023-29324 serves as a bypass for a fix that Microsoft implemented in March 2023 to address CVE-2023-23397. This critical privilege escalation vulnerability in Outlook was exploited by Russian threat actors in attacks targeting European entities since April 2022.
According to Akamai, the problem originates from the complicated handling of paths in Windows, which enables a threat actor to create a malicious URL capable of evading internet security zone checks. Barnea added, "This vulnerability is yet another example of patch scrutinizing leading to new vulnerabilities and bypasses. It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities."
To ensure complete protection, Microsoft recommends users install Internet Explorer Cumulative updates to address vulnerabilities in the MSHTML platform and scripting engine.