Experts Detail New Zero-Click Windows Vulnerability
Information about a security hole in the now-patched Windows MSHTML framework that might be used to get around integrity safeguards on targeted computers was shared by cybersecurity researchers.
The CVE-2023-29324 vulnerability, with a CVSS score of 6.5, has been classified as a security feature bypass. Microsoft fixed the issue as part of its May 2023 Patch Tuesday upgrades. All Windows versions are affected by the problem, according to Akamai security researcher Ben Barnea, who also pointed out that Microsoft’s Exchange servers with the March upgrade remove the vulnerable functionality.
Ban Barnea said in the report shared that: “An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server, This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction.”
It’s also important to note that CVE-2023-29324 circumvents a patch Microsoft implemented in March 2023 to address CVE-2023-23397, a serious privilege escalation vulnerability in Outlook that, according to the firm, has been used by Russian threat actors in attacks against European targets since April 2022.
According to Akamai, the problem is caused by Windows’ complicated processing of paths, which makes it possible for a threat actor to create a malicious URL that can bypass internet security zone checks.
Barnea said: “This vulnerability is yet another example of patch scrutinizing leading to new vulnerabilities and bypasses, It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities.”
Microsoft also advises users to install Internet Explorer Cumulative updates to address vulnerabilities in the MSHTML platform and scripting engine in order to be completely protected.
Our Readers ALSO READSerious Flaws Found in Cisco Small Business Switches