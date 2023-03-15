



Microsoft has confirmed that a critical Outlook vulnerability rated 9.8 out of 10 is already known to be exploited in the wild. Receiving a malicious email triggers the exploit and runs before the email is read in the preview pane. That’s right; this is an exploit that requires no user interaction. Here’s what we know about the new Microsoft Outlook zero-day.

What is CVE-2023-23397, a critical zero-day vulnerability in Microsoft Outlook?

CVE-2023-23397 is a privilege escalation vulnerability in Microsoft Outlook that, according to the Microsoft Security Resource Center (MSRC), allows targeted attacks by “Russian-based attackers” against government, transportation, energy, and businesses. already used in European military sector. In fact, the Ukraine Computer Emergency Response Team (CERT) allegedly reported the zero-day to Microsoft.

Full technical details are still pretty thin on the ground. However, according to the MSRC post, a critical vulnerability in Microsoft Outlook “allowed an attacker to send a message with extended MAPI properties with a UNC path to an SMB (TCP 445) share on an attacker-controlled server. Triggered when a connection to a remote SMB (Server Message Block) server sends a New Technology LAN Manager (NTLM) negotiation message to the user to authenticate to the support system. It continues to explain that it will be relayed to “Online services such as Microsoft 365 do not support NTLM authentication,” he confirmed in his MSRC post, so he is not vulnerable to this exploit.

All currently supported versions of Outlook for Windows are affected, but Outlook for the web or anything running on Android, iOS, or Mac is not.

So What Do You Need To Do Now?

The good news is that the CVE-2023-23397 warning coincides with the release of the latest Patch Tuesday round of security updates for Microsoft customers. Therefore, it is recommended to apply the relevant patch. That said, if your organization is unable to apply these security updates immediately, Microsoft has published some workarounds. Adding a user to the Protected Users security group will prevent him from using NTLM for authentication, although Microsoft warns that this may “impact applications that require NTLM.” Alternatively, you can block outbound TCP 445/SMB using your firewall or VPN settings.

Microsoft mitigations for CVE-2023-23397

What does the security industry say about Microsoft Outlook zero-days?

Automox Technical Product Manager Peter Pflaster said: “Microsoft has shared two temporary mitigations in case they can’t patch immediately. Both impact NTLM and the applications that use it, so proceed with caution.”

“Given the network attack vector, the ubiquity of SMB shares, and the lack of required user interaction, an attacker with a suitable existing foothold on the network could consider this vulnerability a prime candidate for lateral movement. “There is a lot of potential,” said Adam Barnett, lead software engineer. At Rapid7, it states:



Bharat Jogi, Director of Vulnerability and Threat Research at Qualys, said:

Mike Walters, vice president of vulnerability and threat research at Action1, said: “This could be exploited before the email is displayed in the preview pane. A successful exploit would allow the attacker to access the user’s Net-NTLMv2 hash, which could be used to create another You can perform pass-the-hash attacks on the service and authenticate.The best way is to test in a controlled environment and then install the Microsoft update on all systems.”

