Microsoft released its batch of monthly security updates on this month’s Patch Tuesday covering 73 vulnerabilities, including two zero-day flaws exploited by threat actors. While organizations should prioritize all critical and high-risk issues, there is a critical vulnerability in Outlook that security researchers say could open the door to trivial attacks that result in remote code execution (RCE).
Dubbed MonikerLink by researchers at security firm Check Point Software who found it, the vulnerability allows attackers to bypass Office Protected View mode, which opens files downloaded from the internet in read-only mode by default to prevent the execution of potentially malicious internal scripts. .
“Let’s assume the attacker has an exploit for Microsoft Word working without Protected View (as this is the most common case),” Check Point researchers explained. “If the exploit is sent as an attachment, the attacker needs the victim to double-click the attachment. However, this is not the total because an attachment sent from an external email address would activate Protected View in Word and block the attacker’s exploit because the exploit does not work when Protected View is enabled.”
“This means that the attacker needs to trick the victim into performing another single click to exit Word Protected View mode so that his exploit can be carried out,” the researchers said. “So in total, it’s a double-click and a single-click for the entire attack chain.”
Email attachments and links are the most common vectors for malware distribution. Mechanisms like Protected View make it more difficult for attackers to deploy exploits for existing vulnerabilities in Microsoft Word, Excel, PowerPoint, and other Office components. Therefore, according to the researchers, MonikerLink poses a broader security risk associated with the use of insecure APIs, such as MkParseDisplayName/MkParseDisplayNameEx, potentially affecting not only Outlook, but other software that uses these APIs insecurely.
Look this
Russian Military Hackers Attack NATO Using Bugs in Outlook
M365 hack exposed more than Exchange and Outlook emails
The discovery of this bug in Outlook serves as a call to action for the security and developer communities to identify and fix similar vulnerabilities in other applications, ensuring the security of the Windows/COM ecosystem.
With MonikerLink, tracked as CVE-2024-21413 by Microsoft, such an exploit chain would require a single user click, because the vulnerability exists in the way Outlook “calls” external applications when users click a link within a message. of e-mail. Additionally, the flaw could serve as a vehicle to provide one-click exploits for applications other than Word.
For more details on the risks of the MonikerLink bug addressed by Check Point Software researchers click here. The Microsoft Security Response Center also addresses vulnerabilities. To access it, click here.