This month, multiple Windows vulnerabilities (1,2) is on the list of vulnerabilities known to be exploited by the U.S. government. Now, a new report strongly suggests that 500 million Outlook users may be at the same level of risk from a “critical zero-click remote code execution (RCE) vulnerability affecting most Microsoft Outlook applications.”
Microsoft advice Although no exploitation has been detected to date, the company has warned that “the possibility of exploitation is increasing” and urged users to update their software. Morphisecwho reported the issue to Microsoft, went further: “Given the broader impact of this vulnerability, particularly its zero-click vector against trusted senders and its potential for broader impact, we have requested that Microsoft reassess the severity and classify it as ‘Critical’,” the company said.
The researchers warn that the vulnerability “affects most Microsoft Outlook applications,” and there’s nothing in Microsoft’s own release to suggest otherwise. These are applications used by most large enterprises, not to mention the hundreds of millions of users of the Outlook email service. The researchers note that while this RCE is complex, “it may be possible to simplify the attack process by chaining this vulnerability with another.” The Outlook exploit threat targeting enterprises is clearly ransomware.
CVE-2024-3802 was fixed as part of Microsoft’s larger July security update, which Morphisec welcomed: “Given its zero-click nature (for trusted senders) and lack of authentication requirements, CVE-2024-38021 poses a serious risk.”
According to them, the threat spectrum includes “the[ing] “The vulnerability could be exploited to gain unauthorized access, execute arbitrary code, and cause severe damage without user interaction. The lack of authentication requirements makes it particularly dangerous as it could lead to widespread exploitation.”
The repeated reference to “trusted senders” in this alert is important: the vulnerability only poses a zero-click threat if the email is received from a trusted source. If the sender is unknown, the user must click to execute. That said, if the problem for an attacker is to forge an email from a trusted source, the bar is very low in today’s industrial-scale world of business email compromise.
“We deeply appreciate MorphiSec’s investigation and for responsibly reporting this under coordinated vulnerability disclosure. Customers who installed the update are already protected,” a Microsoft spokesperson said.
As is typical with these types of disclosures, few technical details are being released until most users have had a chance to patch their software, but those details will be made public shortly. Morphisec says it discovered the vulnerability through “extensive fuzzing and reverse engineering of the Microsoft Outlook codebase,” and will be sharing further findings with the security community at Def Con 32 in Las Vegas next month in a session intriguingly titled “Outlook Unleashes RCE Chaos.”