Highlights:

  • Usually, sound files employ various forms of compression to maintain more manageable file sizes. Windows Outlook is a component that is susceptible to one of the exploits.
  • Microsoft published mitigation guidance in March, offering recommendations on how to prevent the exploitation of these vulnerabilities.

Researcher Ben Barnea from Akamai Technologies Inc. has discovered two vulnerabilities within Windows Outlook clients. These vulnerabilities risk remote code execution, potentially exploited by attackers sending specially crafted sound file attachments.

Both vulnerabilities build upon prior exploits that were previously identified and only partially addressed by Microsoft Corp. in March, August, and October. Barnea recently posted two blog entries (part one and part two) providing a comprehensive description of the exploits, detailing their workings, and outlining preventive measures.

Outlook facilitates the playback of sound files, including .WAV files, for user convenience. However, this functionality introduces another avenue for malware to potentially deposit on a victim’s computer. Usually, sound files employ various forms of compression to maintain more manageable file sizes. This particular component of Windows is susceptible to one of the exploits.

Barnea asserts that Windows machines equipped with the October 2023 software update are safeguarded against these vulnerabilities. Furthermore, Outlook clients utilizing Exchange servers patched with the March 2023 software update, identified as CVE-2023-23397, are shielded against the exploited feature.

The March Outlook vulnerability was exploited earlier this month by a Russian state-sponsored malware group known as Forest Blizzard, also recognized as Strontium. This group has been attributed to various attacks, including one targeting Ukraine last year.

Barnea discovered a method to take control of a Windows machine by exploiting the scenario where a user receives an email reminder containing a custom notification sound as an attachment. This exploit operates as a “zero-click” attack, meaning the user is not required to click on the attachment for the vulnerability to be exploited.

These exploits hinge on particular programming to seize control over a victim’s computer, leveraging a specific sequence that combines the previously identified vulnerabilities in a precise order. Microsoft published mitigation guidance in March, offering recommendations on how to prevent the exploitation of these vulnerabilities.

In his post, Barnea mentions that while the mitigation guidance provided by Microsoft is helpful, it needs to offer comprehensive protection. He suggests  that “organizations use micro network segmentation to block outgoing SMB connections to remote public IP addresses and that you either disable NTLM in your environment or add users to the Protected Users group in Active Directory.”