A work-around enables exploitation of a patched vulnerability.

Researchers at Akamai have discovered a critical vulnerability in an internet explorer component assigned CVE-2023-29324. This vulnerability tricks an outlook client into connecting with the attacker’s server. This allows the attacker to crack the victim’s password offline or use it in a relay attack. It is assessed that Russian threat actors have been using this exploit for over a year, targeting the European government, transportation, energy and military sectors. Importantly, this attack is classified as a no-click attack, which means that the victim doesn’t have to interact with the malware by clicking a link or downloading a zip file. It works by sending a reminder email to the victim with a custom sound notification. The sound notification contains a path to the attacker’s server allowing the outlook client and the bad server initiating a handshake and giving the attacker access to the Net-NTLMv2 hash. Akamai informed Microsoft of this vulnerability and Microsoft released an update in the March Patch Tuesday to fix the problem, but Akamai has since determined that there are workarounds that could get past the patch.

How the work-around is accomplished.

The work-around is achieved by tricking MapURLToZone into thinking the URL is local as opposed to remote. The attacker accomplish this by inserting an extra [ / ] character to their UNC path. This ultimately bypasses Microsoft’s mitigation by tricking “CreateFile” to download a file from a URL that has been disguised as being local. 

Akamai research adds that “Microsoft published comprehensive guidance for the detection and mitigation of the original Outlook vulnerability. From our observation, all the methods specified are applicable to the new vulnerability as they are not dependent on the URL specified in the PidLidReminderFileParameter property.” Additionally, researchers are asserting that the custom sound notification feature should be removed completely as it causes more harm than good. It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities. Considering how ubiquitous Windows is, eliminating an attack surface as ripe as this is could have some very positive effects. 

Patches and initial releases need quality control.

The researchers concluded that this was discovered when researchers were analyzing patches for existing vulnerabilities which emphasizes the need for quality control when organizations respond to vulnerabilities.

In keeping with CISA’s Secure By Design approach, which is also being recommended for adoption by private software providers, it is crucial that the software and the security patches go through rigorous quality control to ensure that bad actors can’t just add a character to bypass a security patch.

Microsoft addressed those remaining issues in yesterday's Patch Tuesday.