Microsoft releases fix for patched Outlook issue exploited by Russian hackers

Microsoft on Tuesday released a new fix for a vulnerability that was initially patched in March but was later discovered by security researchers to be flawed.

Ukrainian cybersecurity officials at CERT-UA reported a vulnerability to the Microsoft incident response team earlier this year after Russia-based hackers used a vulnerability in Microsoft’s Outlook email service.

“Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe,” Microsoft said in an advisory, noting that it had a CVSS score of 9.8 out of 10.

Although the issue was patched in March, Akamai researcher Ben Barnea discovered a way around the patch that would allow an attacker to use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server.

Barnea said the issue is a zero-click vulnerability – meaning it can be triggered with no user interaction – and all Windows versions are affected by it.

Remember that 0-click Outlook vulnerability with a custom sound leading to NTLM theft?

Akamai researchers found a way to bypass the patch to it.

In our write-up, see how adding a slash allowed for a bypass.https://t.co/eO121SaZur pic.twitter.com/YrrBikMZqj

— Akamai Security Intelligence Group (@akamai_research) May 10, 2023

The issue was reported to Microsoft and fixed on Tuesday, and is referred to as CVE-2023-29324.

Barnea explained that the addition of a single character rendered the initial patch useless. But he and the security team at Akamai took issue with Microsoft’s classification of the issue, which was given a CVSS score of just 6.5.

“According to information shared with us, by Microsoft, beforehand (and seemingly with others as well), the vulnerability indeed received critical severity and a CVSS score of 7.5. However, on Patch Tuesday Microsoft ranked the vulnerability as important and reduced its CVSS to 6.5,” they said.

“Our research indicates that the new vulnerability re-enables the exploitation of a critical vulnerability that was seen in the wild and used by APT [advanced persistent threat] operators. We still believe our finding is of high severity. In the hands of a malicious actor, it could still have the same consequences as the critical original Outlook bug.”

Microsoft did not respond to questions about the discrepancy, only telling Recorded Future News that “customers who apply the update, or have automatic updates enabled, will be protected.”

A spokesperson also shared a link to the initial advisory from March, which has been updated with an acknowledgement of Akamai’s findings.

The vulnerability allowed for the theft of credentials related to Windows New Technology LAN Manager (NTLM) – a suite of security protocols offered by Microsoft to authenticate users' identity and protect the integrity and confidentiality of their activity.

Barnea said the vulnerability is “yet another example of patch scrutinizing leading to new vulnerabilities and bypasses.”

“Specifically for this vulnerability, the addition of one character allows for a critical patch bypass,” he said. “Considering how ubiquitous Windows is, eliminating an attack surface as ripe as this is could have some very positive effects.”

On Patch Tuesday, Microsoft fixed 49 other vulnerabilities, including three zero-day vulnerabilities and five critical Remote Code Execution (RCE) vulnerabilities.

Two of the actively exploited zero-day vulnerabilities – CVE-2023-29336 and CVE-2023-24932 – were allegedly exploited by Turla, a group long affiliated with the Russian Federal Security Service (FSB).