Researchers at Morphisec have uncovered critical technical details about the recently discovered zero-click remote code execution (RCE) vulnerability in Microsoft Outlook, identified as CVE-2024-38021. This vulnerability poses a significant security risk, allowing potential attackers to execute arbitrary code without user authentication.
The vulnerability exploits a flaw in how Outlook handles composite monikers in image tag URLs. Unlike the previous CVE-2024-21413, which involved hyperlink parsing, CVE-2024-38021 bypasses Microsoft’s initial patch by targeting the mso30win32client!HrPmonFromUrl method.
This method, responsible for parsing URLs within image tags, does not set the BlockMkParseDisplayNameOnCurrentThread flag. Consequently, it allows the processing of composite monikers, triggering the unsafe MkParseDisplayName function.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
The attack involves passing a composite moniker in an image tag URL. This bypasses the security measures implemented in the hyperlink creation function, leading to potential remote code execution and local NTLM credential leaks.
Microsoft’s Patch
Microsoft’s patch for CVE-2024-38021 follows a similar approach to the previous vulnerability, utilizing the BlockMkParseDisplayNameOnCurrentThread flag in the HrPmonFromUrl function. This prevents the invocation of the vulnerable MkParseDisplayName function for composite monikers in image tag URLs.
However, researchers discovered that passing a simple file moniker still results in local NTLM credential leaks, indicating that the patch does not fully address all potential security risks.
Microsoft has assessed this vulnerability with an “Important” severity rating, differentiating between trusted and untrusted senders. For trusted senders, the vulnerability is zero-click, while untrusted senders require one-click user interaction.
Given the broader implications and potential for widespread impact, especially its zero-click nature for trusted senders, Morphisec has requested Microsoft to reassess the severity and label it as “Critical”.
Organizations are strongly advised to:
- Promptly update all Microsoft Outlook and Office applications.
- Implement robust email security measures, including disabling automatic email previews.
- Educate users about the risks of opening emails from unknown sources.
Additionally, implementing Automated Moving Target Defense (AMTD) techniques can significantly reduce the risk of exploitation from vulnerabilities like CVE-2024-38021.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces