During this month (May 2023), Patch Tuesday, a bug tracked as CVE-2023-29324, was fixed. It’s related to the Windows MSHTML platform that Microsoft rates as important.
The new vulnerability CVE-2023-29324 re-enables the exploitation of a critical vulnerability CVE-2023-23397 ( Zero Click) that was seen in the wild and used by APT operators.
Attackers could send specially crafted emails that will cause a connection from the victim to an untrusted location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the untrusted network, which an attacker can then relay to another service and authenticate as the victim.
The email doesn’t have to be viewed or previewed by the user for the exploit to work and just needs to be retrieved and processed by the Outlook client.
CVE-2023-29324 is defined as a security feature bypass vulnerability that could still have the same consequences as the critical original Outlook bug.
While analyzing the patch for CVE-2023-23397, that fixed by changing the code flow in Outlook so that it now first checks whether the universal naming convention path that retrieves the custom sound file refers to an internet URL and, if it does, it uses the default reminder sound instead of the custom one.
It was noted that check can be easily be bypassed by adding a single character that will change how a specific function categorizes the zone of the UNC path. Its a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities. Eliminating an attack surface as ripe as this could have some very positive effects.
The risk of exploitation of both CVE-2023-23397 and CVE-2023-29324 can be removed by implementing the patches in order