Security researchers at Morphisec have uncovered a significant new vulnerability in Microsoft Outlook, raising concerns about potential unauthorized access and data breaches.
The flaw, identified as CVE-2024-38021, allows for remote code execution (RCE) without requiring user authentication in many cases.
This latest security issue comes on the heels of a previous Outlook vulnerability, CVE-2024-30103, which was disclosed in June. Unlike its predecessor which required at least NTLM token authentication, CVE-2024-38021 can potentially be exploited without any authentication, making it considerably more dangerous.
Microsoft has categorized the severity of this vulnerability as "Important." However, the tech giant's assessment distinguishes between trusted and untrusted email senders. For messages originating from trusted sources, the vulnerability is considered "zero-click," meaning it could be exploited without user interaction. In contrast, emails from untrusted senders would require a single click to activate the exploit.
Morphisec researchers, concerned about the broader implications of this vulnerability, have requested that Microsoft re-evaluate the severity rating and elevate it to "Critical." They argue that the zero-click vector for trusted senders and its potential for widespread impact warrants a higher threat level.
Morphisec noted that the discovery of CVE-2024-38021 followed a meticulous research process, involving extensive fuzzing and reverse engineering of Microsoft Outlook's codebase. After identifying the vulnerability, the research team promptly reported their findings to Microsoft on April 21, 2024, adhering to responsible disclosure practices. Microsoft confirmed the vulnerability five days later, on April 26.
In response to the discovery, Microsoft included a patch for CVE-2024-38021 in its July 9, 2024 Patch Tuesday updates.
Security experts are now urging Outlook users and system administrators to apply these updates as soon as possible to mitigate the risk of exploitation.
The complexity of exploiting this RCE vulnerability is higher than that of CVE-2024-30103, potentially reducing the likelihood of immediate widespread attacks.
To protect against potential exploits, Morphisec recommends several urgent actions:
- Deploy the latest patches for all Microsoft Outlook and Office applications immediately.
- Implement robust email security measures, including disabling automatic email previews where feasible.
- Educate users about the risks associated with opening emails from unknown or suspicious sources.
- Consider implementing Endpoint Detection and Response (EDR) and Automated Moving Target Defense (AMTD) solutions to provide additional layers of protection against both known and unknown attacks.
Morphisec will release the technical details and POC for CVE-2024-30103 and CVE-2024-38021 at the DEF CON 32 conference in Las Vegas.
Morphisec researchers Michael Gorelik and Arnold Osipov will be presenting their findings titled "Outlook Unleashing RCE Chaos: CVE-2024-30103 & 2024-38021," at the upcoming DEF CON 32 conference.