Microsoft Issues Warning: Zero-Day Outlook Vulnerability
In recent news, Microsoft has issued a critical warning regarding zero-day attacks targeting their Office suite of products, Outlook in particular. These attacks pose a significant threat to organizations and individuals alike, as they exploit vulnerabilities in Microsoft Outlook and other Office applications to gain unauthorized access and execute remote code. The threat level is high and for now there is no patch.
The Severity of the Threat
The zero-day vulnerability, identified as CVE-2023-23397, has been rated at a staggering 9.8 out of 10 in terms of severity. This means that it is extremely critical and requires immediate attention from users. The exploit takes advantage of an elevation of privilege vulnerability in Microsoft Outlook, allowing threat actors to execute malicious code without any user interaction.
The Nature of the Attack
When a user receives a specially crafted email containing an extended MAPI property with a Universal Naming Convention (UNC) path to a server controlled by the attacker, the vulnerability is triggered. This triggers what is known as a "Pass the Hash" attack, bypassing authentication and granting the attacker unauthorized access to the target system.
“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”
Impacted Versions and Targeted Sectors
It is important to note that all currently supported versions of Outlook for Windows are affected by this zero-day vulnerability. This includes both individual users and organizations relying on the Office suite for their daily operations. Sectors such as government, transport, energy, and military have already fallen victim to targeted attacks conducted by an allegedly Russia-based threat actor.
There are a whopping 160 zero-day vulnerabilities in the July 2023 patch. The Outlook Vulnerability however is among the most critical.
Urgent Patching and Mitigation Measures
Regrettably, at the time of this writing, Microsoft has not released an official patch to address this zero-day vulnerability. However, the company is actively working to provide customers with the necessary security updates either through the monthly release process or an out-of-band security update. It is crucial for users to install these patches as soon as they become available to mitigate the risk of exploitation.
In the meantime, Microsoft has recommended several mitigation measures to protect users from potential attacks. Users can leverage Microsoft Defender for Office and enable the "Block all Office applications from creating child processes" Attack Surface Reduction Rule to safeguard against phishing attempts and exploit activities.
Additionally, users can make use of the following registry key to further protect their systems:
A[Registry Key: FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION] --> B[Excel.exe] A[Registry Key: FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION] --> C[Graph.exe] A[Registry Key: FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION] --> D[MSAccess.exe] A[Registry Key: FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION] --> E[MSPub.exe] A[Registry Key: FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION] --> F[PowerPoint.exe] A[Registry Key: FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION] --> G[Visio.exe] A[Registry Key: FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION] --> H[WinProj.exe] A[Registry Key: FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION] --> I[WinWord.exe] A[Registry Key: FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION] --> J[Wordpad.exe]
However, it is important to note that implementing this registry key may impact certain functionalities of the Microsoft Office applications mentioned above. Users should carefully consider the trade-off between functionality and security when applying this mitigation measure.
Ongoing Exploitation and Global Implications
Disturbingly, the exploitation of CVE-2023-23397 has been ongoing for almost a year, primarily targeting government, defense, logistics, transportation, and energy sectors. Mandiant, a Google-owned threat intelligence company, has attributed these attacks to the Russian state-sponsored threat actor known as Fancy Bear (APT28). The extensive reach and persistence of these attacks emphasize the urgent need for comprehensive security measures and heightened cyber vigilance.
The Microsoft Outlook zero-day vulnerability, CVE-2023-23397,
presents a critical security threat that demands immediate action. Organizations and individuals relying on Microsoft Office must remain vigilant, apply recommended mitigation measures, and install security patches promptly once they become available. It is crucial to prioritize cybersecurity and take proactive steps to safeguard sensitive data and prevent potential disruptions caused by malicious actors.
Remember, cybersecurity is a shared responsibility, and by staying informed and implementing the necessary security measures, we can mitigate risks, protect our systems, and ensure a safer digital environment for all. Stay proactive, stay secure.
If you are an Android phone user, check to see if you may have downloaded the apps in the Google Play Store that are sending personal data to servers in China, learn more.