Microsoft has identified a critical vulnerability, CVE-2023-23397, affecting various Microsoft applications including Windows, Office, Bing, and Outlook. This vulnerability allows attackers to execute privilege escalation attacks without user interaction by exploiting Microsoft Outlook on Windows.
Discovered initially in mid-April 2022, this vulnerability involves a method where attackers send specially crafted messages that trigger a Net-NTLMv2 hash leak from Outlook. These hashes can then potentially be used by attackers to authenticate against other systems. Notably, no user interaction is required for the exploit to occur—simply having Outlook open can initiate the exploit if a malicious message’s reminder is triggered.
This vulnerability scores a high severity rating of 9.8, reflecting its potential to cause significant impact without complex execution strategies. All versions of Microsoft Outlook for Windows are affected. However, Outlook applications on Android, iOS, and Mac, as well as the web version, are not susceptible to this particular attack.
Microsoft has released patches to address this vulnerability and strongly advises all users to update their software immediately. The security update modifies how Outlook handles message properties to prevent unauthorized external connections.
Organizations are also recommended to implement additional safeguards:
- Block outbound connections to TCP port 445 (SMB) which is used in the exploit.
- Add users to the Protected Users group in Active Directory to disable NTLM authentication.
- Regularly run Microsoft-provided scripts to detect and mitigate any signs of exploitation in your systems.
The gravity of this vulnerability lies in its ability to be exploited remotely and discreetly, potentially allowing attackers access to sensitive data or network resources without the user’s knowledge. The threat is amplified by reports of targeted attacks using this vulnerability, particularly by sophisticated groups associated with nation-state activities targeting sectors like government and defense.
It is imperative for users and organizations using affected Microsoft products to apply the provided patches and adhere to recommended security practices to protect against potential data breaches and system infiltrations. Continuing vigilance and prompt action in response to such vulnerabilities are crucial in maintaining cybersecurity resilience.
