The recently discovered vulnerability in Outlook while handling specific hyperlinks has been found to be exploited by threat actors in the wild, under the CVE-2024-21413. The severity of this critical vulnerability is reported to be 9.8.
However, Microsoft has taken action to address and fix this vulnerability as part of their Patch Tuesday release of February 2024. In the event of a successful exploitation, the vulnerability could allow a threat actor to bypass the Office-protected view and open a file in editing mode rather than the “protected mode.”
According to a report by Checkpoint, the vulnerability is associated with handling hyperlinks, specifically with regard to certain protocols. When a hyperlink begins with http:// or https://, Outlook uses Windows’s default browser to open the URL. However, if alternative protocols, such as the “Skype” URL protocol, are present, clicking on the hyperlink will display a security warning.
On the other hand, if the hyperlink contains the “file://” protocol, Outlook did not display a warning dialog box; instead, it generated an error message in the Windows Notification Center. Additionally, if the file was accessed, it escalated the risk of potential leakage of local NTLM credential information.
An issue known as the #MonikerLink Bug was also identified, involving a slight modification in the “file://” protocol link that bypasses the previously shown security restriction, allowing access to the resource. As per the report, a test link was used for accessing the “test.rtf” file on the remote resource, essentially leveraging the SMB protocol to leak local NTLM credential information in the process. Moreover, researchers also tried to escalate this attack vector to arbitrary code execution.
The Moniker Link string utilizes the “look up” for COM (Component Object Model) objects on Windows, with Outlook calling the ole32!MkParseDisplayName() API for this function. As per Microsoft’s API document for Moniker, including “!” makes it a composite moniker.
In the context of exploitation, researchers utilized this composite moniker with FileMoniker (\\10.10.111.111\test\test.rtf) + ItemMoniker (something) to access Microsoft Word. The attack involves running Microsoft Word as a COM server in the background and modifying the “test.rtf” file to perform arbitrary code execution on the remote system using “WINWORD.EXE.”
Researchers have indicated that this #MonikerLink bug/attack vector may be present in other software as well and recommend developers to take measures to address and fix the issue.
As a result of the efforts to address this vulnerability, users are advised to stay informed of cybersecurity news, whitepapers, and infographics. They are encouraged to stay updated via LinkedIn and Twitter.