Microsoft updates are making headlines this month, with multiple Windows vulnerabilities (1,2) making the US government’s list of those known to have been exploited in the wild. Now a new report strongly suggests 500-million Outlook users may be running that same level of risk from “a significant… zero-click remote code execution (RCE) vulnerability that impacts most Microsoft Outlook applications.”
Microsoft has warned users to update their platforms, and acknowledges that although it says there are no known exploits as yet, “exploitation is more likely.” The team at Morphisec which disclosed the issue to Microsoft goes further. “Given the broader implications of this vulnerability,” they say, “particularly its zero-click vector for trusted senders and its potential for much wider spread impact, we have requested Microsoft to reassess the severity and label it as ‘Critical’.”
The researchers warn that the vulnerability “impacts most Microsoft Outlook applications,” and nothing in Microsoft’s own release suggests otherwise. These are applications used by most large corporates to say nothing of hundreds of millions of Outlook mail service users. The team says that this RCE is complex but “the chaining of this vulnerability with another could potentially simplify the attack process.” The threat with an Outlook exploit targeting corporates is clearly ransomware.
CVE-2024-3802 was patched as part of Microsoft’s bulging July security update, which Morphisec says it welcomes. “Given its zero-click nature (for trusted senders) and lack of authentication requirements, CVE-2024-38021 poses a severe risk.”
The range of threats, they say, include “attackers exploit[ing] this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction. The absence of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation.”
The repeated reference to “trusted senders” in this warning is important. This vulnerability only carries a zero click threat when an email is received from a trusted source. If the sender is unknown, then the user would need to click to execute. That said, if the problem for an attacker is now spoofing emails from trusted sources that’s a very low bar in today’s world of industrial scale business email compromise.
As usual with this type of disclosure, little technical detail is made available until most users are deemed to have had the opportunity to patch their software. That detail is coming soon though. Morphisec says it discovered the vulnerability through “extensive fuzzing and reverse engineering of Microsoft Outlook’s codebase,” and will share more of its findings with the security community at next month’s Def Con 32 in Las Vegas in an interestingly titled session: “Outlook Unleashing RCE Chaos.”
I have reached out to Microsoft for any further comments on this report.