Article Details

Microsoft: New critical Outlook RCE bug exploited as zero-day. Microsoft updated a security advisory today to warn that a critical Outlook bug was exploited in attacks as a zero-day before being fixed during this month's Patch Tuesday. Discovered by Check Point vulnerability researcher Haifei Li and tracked as CVE-2024-21413, this vulnerability leads to remote code execution (RCE) when opening emails with malicious links using a vulnerable Microsoft Outlook version. This happens because the flaw also enables attackers to bypass the Protected View (designed to block harmful content embedded in Office files by opening them in read-only mode) and open malicious Office files in editing mode. Redmond also warned that the Preview Pane is an attack vector for this security flaw, allowing successful exploitation even when previewing maliciously crafted Office documents in Windows Explorer. Unauthenticated attackers can exploit CVE-2024-21413 remotely in low-complexity attacks that don't require user interaction. "An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality," Microsoft explains. "An attacker could craft a malicious link that bypasses the Protected View Protocol, which leads to the leaking of local NTLM credential information and remote code execution (RCE)." CVE-2024-21413 affects multiple Office products, including Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise, as well as Microsoft Outlook 2016 and Microsoft Office 2019 (under extended support). ​Exclamation mark to bypass Outlook protections As explained by Check Point in a report published today, the vulnerability they dubbed Moniker Link allows attackers to bypass built-in Outlook protections for malicious links embedded in emails using the file:// protocol and adding an exclamation mark to URLs pointing to attacker-controlled servers. The exclamation mark is added right after the document extension, together with some random text (in their example, Check Point used "something"), as shown below: This type of hyperlink bypasses Outlook security restriction, and Outlook will access the "\\10.10.111.111\test\test.rtf" remote resource when the link is clicked without throwing any warnings or errors. The flaw was introduced because of the MkParseDisplayName unsafe API, so the vulnerability may also impact other software that uses it. The impact of attacks successfully exploiting CVE-2024-21413 includes theft of NTLM credential information, arbitrary code execution via maliciously crafted Office documents, "We've confirmed this #MonikerLink bug/attack vector on the latest Windows 10/11 + Microsoft 365 (Office 2021) environments," Check Point said. "Other Office editions/versions are likely affected, too. In fact, we believe this is an overlooked issue which existed in the Windows/COM ecosystem for decades, since it lies in the core of the COM APIs. We strongly recommend all Outlook users apply the official patch as soon as possible." A Microsoft spokesperson was not immediately available when BleepingComputer reached out for more details regarding CVE-2024-21413 exploitation in the wild.