Recently, Microsoft released a series of patches to address around 80 security vulnerabilities, including two zero-day exploits.
One of the critical zero-day exploits, CVE-2023-23397, is a vulnerability in Microsoft Outlook that could allow an attacker to gain elevated privileges. The severity of this vulnerability has been rated 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS).
This vulnerability is particularly concerning because it can be triggered when a victim receives a malicious message with an extended Message Application Program Interface (MAPI) property that contains a Universal Naming Convention (UNC) path.
This path directs the victim to a Server Message Block (SMB) share hosted on a server controlled by the attacker, leading to the exploitation of the vulnerability.
This vulnerability is even more dangerous because the attacker can use the New Technology LAN Manager (NTLM) negotiation message that is automatically sent when the victim connects to the attacker’s SMB server for authentication against other systems that support NTLM authentication.
Microsoft Outlook Vulnerability CVE-2023-2339 and its effects
The security flaw in question impacts the supported edition of Microsoft Outlook for Windows, excluding Android, iOS, and macOS versions.
To avoid possible attacks, Microsoft has advised users to update their systems immediately. If updating is not an option, Microsoft proposes the addition of users to the Protected Users group in Active Directory and blocking outbound SMB traffic on TCP port 445 as potential solutions.
It is worth noting that cybercriminals linked to Russian intelligence services have actively exploited this vulnerability in the past year.
To combat this, Microsoft has provided a PowerShell script that scans emails, calendar entries, and task items to identify and remove problematic items with the “PidLidReminderFileParameter” property and remove them.
A security researcher has also developed a Python script that can identify the presence of the “task.file.msg_data.reminderFileParameter” parameter used to exploit this vulnerability.
Microsoft releases patches for CVE-2023-2339 vulnerability
While releasing these patches and scripts is a significant step towards protecting users from this vulnerability, it highlights the ongoing battle between cybersecurity experts and malicious actors.
The constant evolution of cyber threats means that software companies must remain vigilant in identifying and addressing vulnerabilities before they can be exploited.
To sum up, the CVE-2023-23397 vulnerability is a severe threat that Russian threat actors have already exploited. Microsoft Outlook for Windows users should patch their systems immediately to prevent potential attacks.