Experts Reveal New Details of Zero-Click Outlook RCE Exploits

December 18, 2023NewsroomEmail Security / Vulnerability

Zero-Click Outlook RCE Exploits

Technical details have emerged about two currently-patched security flaws in Microsoft Windows that can be a chain of threat actors to achieve remote code execution in the Outlook email service sans any user interaction.

“An internet attacker could chain vulnerabilities to create a full, zero-click remote code execution (RCE) exploit against Outlook clients,” Akamai security researcher Ben Barnea, who discovered the vulnerabilities, said in a two parts report shared on The Hacker News.

The security issues, addressed by Microsoft in August and October 2023, respectively, are listed below –

  • CVE-2023-35384 (CVSS score: 5.4) – Windows HTML Platforms Security Feature Bypass Vulnerability
  • CVE-2023-36710 (CVSS score: 7.8) – Windows Media Foundation Core Remote Code Execution Vulnerability

CVE-2023-35384 is described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS score: 9.8), the flaw involves in a case of privilege escalation that could result in the theft of NTLM credentials and enable an attacker to conduct a relay attack.

Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed that a Russian threat actor known as APT29 was actively weaponizing the bug to gain unauthorized access to accounts of victims within the Exchange servers.

It’s worth noting that CVE-2023-35384 is also the second patch bypass after CVE-2023-29324, which was also discovered by Barnea and subsequently fixed by Redmond as part of the May 2023 security update.

“We found another bypass of the original Outlook vulnerability – a bypass that once again allowed us to force the client to connect to a server controlled by the attacker and download a malicious sound file, Barnea said.


CVE-2023-35384, like CVE-2023-29324, is rooted in the parsing of a path by MapUrlToZone function which can be exploited by sending an email containing a malicious file or a URL to an Outlook client.

“A security feature bypass vulnerability exists when the MSHTML platform fails to validate the correct Security Zone on requests for certain URLs. This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended,” Microsoft said. in its advisory.

In doing so, the vulnerability can not only be used to leak NTLM credentials, but can also be chained with a sound parsing error (CVE-2023-36710) to download a custom sound. file that, when autoplayed using the Outlook reminder sound feature, can. leads to zero-click code execution on the victim machine.

CVE-2023-36710 affects the Audio Compression Manager (ACM) component, a legacy Windows multimedia framework used to manage audio codecs, and is the result of an integer overflow vulnerability that occurs when playing WAV files.

“Finally, we were able to trigger the vulnerability using the IMA ADP codec,” Barnea explained. “The size of the file is approximately 1.8 GB. By performing the limit mathematical operation in the calculation we can conclude that the smallest possible file size with the IMA ADP codec is 1 GB.”

To mitigate the risks, it is recommended that organizations use microsegmentation to block outgoing SMB connections to remote public IP addresses. In addition, it is also advised to disable NTLM, or add users to Protected Users security groupwhich prevents the use of NTLM as an authentication mechanism.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment