The vulnerability tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023.
Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected but pointed out that Microsoft Exchange servers with the March update omit the vulnerable feature.
An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server.
This results in NTLM credentials theft. It is a zero-click vulnerability that can be triggered without user interaction.
It’s also worth noting that CVE-2023-29324 is a bypass for a fix Microsoft put in place in March 2023 to resolve CVE-2023-23397, a critical privilege escalation flaw in Outlook that the company said has been exploited by Russian threat actors in attacks aimed at European entities since April 2022.
It was found that the issue stems from complex handling of paths in Windows, thereby allowing a threat actor to craft a malicious URL that can sidestep internet security zone checks.
This vulnerability is another example of patch scrutinizing leading to new vulnerabilities and bypasses. It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities.
To stay fully protected, Microsoft is further recommends users install Internet Explorer Cumulative updates to address vulnerabilities in the MSHTML platform and scripting engine.