Outlook Zero-Click Remote Code Execution Vulnerability

The vulnerability, originally termed CVE-2023-23397, was identified as a significant risk in the Outlook platform. This issue was swiftly patched by Microsoft after it came to light that a known Russian threat actor had exploited it. Interestingly, this exploitation occurred when malefactors sent email reminders with an embedded sound notification acting as a path. What was concerning about this vulnerability was that no user interaction was required for its exploitation.

To address this problem, Microsoft implemented a patch that allowed the API function to vet and check the path for any internet URLs. This essentially built a robust barrier to prevent any attempts of vulnerability manipulation that could compromise system integrity.

Patch Bypasses Identified by Akamai

Akamai, a renowned cybersecurity company, identified two bypasses to this patch deployed by Microsoft. The first bypass, also known as CVE-2023-29324, tricked the function into treating a remote path as local through a crafted URL, thereby exploiting the system. Concurrently, the second bypass, termed CVE-2023-35384, used patch type confusion combined with a crafted URL to exploit the system. However, unlike the original vulnerability, this required user interaction for successful exploitation.

Other Vulnerabilities Related to Outlook Attack Vector

Microsoft had to address other vulnerabilities related to this attack vector. One such example was a security issue embedded in how sound files were parsed on Windows. Akamai identified this vulnerability as CVE-2023-36710. This was an integer overflow bug in the Audio Compression Manager (ACM).

A further investigation by Akamai revealed that the problem identified in the mapWavePrepareHeader function in the ACM manager was that there were no overflow checks when adding bytes to the destination buffer's size. Additionally, the potential file size with the IMA ADP codec was identified as 1GB by Akamai's documentation.

Potential Future Vulnerabilities

Akamai has admonished that the attack surface in Outlook still exists, which suggests the possibility of discovering and consequently exploiting new vulnerabilities. There could also be potential bypasses to Microsoft's mitigation efforts, such as dropping emails containing the PidLidReminderFileParameter property. Therefore, continuous and vigilant monitoring is necessary to ensure such bystander vulnerabilities do not escalate into full-blown security threats.