Microsoft fixes dangerous zero-click Outlook remote code execution exploit

As part of its Patch Tuesday cycle, Microsoft has fixed a high-risk vulnerability in its Outlook desktop client that could be exploited by attackers to execute malicious code when opening a specially crafted email message.

While opening an email is needed to exploit this flaw, the attack is technically zero-click because the Outlook Preview Pane is also affected.

“This lack of required user interaction, combined with the straightforward nature of the exploit, increases the likelihood that adversaries will leverage this vulnerability for initial access,” researchers from security firm Morphisec who found and reported the flaw said in a June 11 blog post.

The vulnerability is tracked as CVE-2024-30103 and Microsoft rates it as 8.8 (high) on the CVSS scale. The reason why it’s not rated critical is likely because it requires an attacker to be authenticated using valid Exchange user credentials, but this is not necessarily a big hurdle to overcome as Exchange credentials are often compromised during network breaches.

At the very least this exploit could enable easier lateral movement through networks once one corporate email account is compromised and the attacker can send email on its behalf.

The vulnerability could enable the creation of malicious DLL files

While Morphisec has held back the technical details of the flaw, planning to include it in a presentation at the DEF CON conference this year, Microsoft does provide some hints in its advisory.

“An attacker who successfully exploited this vulnerability could bypass Outlook registry block lists and enable the creation of malicious DLL files,” the company said.

The arbitrary code execution occurs with the privileges of the current user, so, in order to fully take over a system, attackers would have to combine it with a privilege escalation flaw. The researchers who found this vulnerability claim to have found a second one that will be included in their DEF CON presentation, but which has not been patched yet.

Attackers have exploited Outlook vulnerabilities before in the wild, as email is the primary vector for distributing malware. Even APT groups have exploited Outlook flaws before including zero-click ones.

Organizations urged to update Outlook clients

Even though Microsoft assessed the exploitability of this flaw as “less likely,” the Morphisec researchers believe it will be adopted by attackers once more details or a proof-of-concept exploit becomes available.

“Morphisec strongly urges all organizations to update their Microsoft Outlook clients immediately to mitigate the risk associated with this vulnerability,” they said. “Given the ease of exploitation, prompt action is crucial to ensure the security of systems and sensitive data.”

Microsoft patched a total of 51 vulnerabilities on Tuesday and only one of them was rated critical: a remote code execution flaw (CVE-2024-30080) in the Microsoft Message Queuing (MSMQ) feature that allows applications running on different processors and servers to communicate with each other. MSMQ is not enabled by default but multiple applications including Microsoft Exchange Server enable it as part of their installation routines.

More by Lucian Constantin:

• OpenSSH vulnerability regreSSHion puts millions of servers at risk
• Critical PyTorch flaw puts sensitive AI data at risk
• New RansomHub ransomware gang has ties to older Knight group