Security researchers have revealed a significant vulnerability in Microsoft Outlook. According to Morphisec Threat Labs, which discovered the flaw, CVE-2024-38173 is a Form Injection Remote Code Execution (RCE) vulnerability with a CVSS score of 6.7.
It is similar to CVE-2024-30103, which was patched in July 2024.
The vulnerability CVE-2024-38173 is characterized by the weakness “CWE-73: External Control of File Name or Path”. While the attack vector is classified as local, the attacker can be remote.
The exploitation occurs locally on the victim's machine after the attacker has gained access to the victim's Microsoft Outlook account, typically through compromised or stolen credentials.
The attack complexity is rated as high, which implies that an attacker must take several steps to exploit the vulnerability successfully. Specifically, they need to install a malicious form on the victim's system.
User interaction is also required; the victim must open a malicious email and perform specific actions to trigger the vulnerability. Notably, the Preview Pane in Outlook serves as an attack vector, making it easier for attackers to exploit this flaw without requiring extensive user engagement.
"As was the case with CVE-2024-30103, this again is a zero-click vulnerability and does not require user interaction on systems with Microsoft's auto-open email feature enabled," Morphisec explained.
To address these vulnerabilities, users are advised to:
-
Update Microsoft Outlook and Office applications with the latest patches
-
Block outbound Server Message Block (SMB) traffic and enforce Kerberos authentication
-
Implement robust email security measures, such as disabling automatic email previews
-
Educate users on the risks of interacting with emails from unknown sources
Morphisec's research involved analysis of Outlook's codebase through fuzzing and reverse engineering. Their findings were reported to Microsoft as part of the responsible disclosure process. Both issues were addressed by the tech giant in its August 2024 patch release.
In addition to CVE-2024-38173, the August patch cycle also included fixes for other vulnerabilities that could potentially be chained together to provide complete control over affected systems.
Read more about these patches: Microsoft Fixes Nine Zero-Days on Patch Tuesday
Image credit: BigTunaOnline / Shutterstock.com