Cybersecurity researchers shared details about security flaws in Windows now being patched MSHTML platform This can be exploited to bypass integrity protections on the target machine.
Vulnerabilities tracked as CVE-2023-29324 (CVSS score: 6.5), described as a security feature bypass. This issue was addressed by Microsoft as part of the May 2023 Patch Tuesday update.
Akamai security researcher Ben Barnea, who found and reported the bug, said all versions of Windows are affected, but Microsoft, Exchange,
Servers with the March update omit the vulnerable functionality.
“An unauthenticated Internet attacker could use this vulnerability to force an Outlook client to connect to an attacker-controlled server,” Barnea said. Said In a report shared with The Hacker News.
“This introduces NTLM credential theft. This is a zero-click vulnerability, meaning it can be triggered without user interaction.”
Also note that CVE-2023-29324 is a bypass of the fix that Microsoft introduced in March 2023 for resolution. CVE-2023-23397a critical privilege escalation flaw in Outlook, which has been exploited by Russian threat actors in attacks targeting European entities since April 2022, the company said.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Akamai has determined that the cause of the issue is Complex Path Handling on WindowsThis allows threat actors to craft malicious URLs that can bypass Internet Security Zone checks.
“This vulnerability is an example of scrutiny of patches that lead to new vulnerabilities and bypasses,” Barnea said. “This is a zero-click media parsing attack surface and may contain severe memory corruption vulnerabilities.”
Microsoft further recommends that users install the Internet Explorer Cumulative Update that addresses vulnerabilities in the MSHTML platform and scripting engine to maintain full protection.
