The zero-click hole, which was patched by Microsoft Tuesday, could point to far more vulnerabilities in the form-based architecture of Outlook. Credit: Markus Mainka / Shutterstock Among the large batch of security patches that Microsoft released on Tuesday was an especially nasty hole within Microsoft’s Outlook email client, one that would allow an attacker full access by simply sending the user an email, even if the recipient chooses to not open the message. If the attack is successful, the end user would have no way of knowing that they have been attacked. “You will not know. You will not experience anything,” said Michael Gorelik, the chief technology officer at Morphisec, the security firm that says it discovered the hole and reported it to Microsoft. Gorelik said that the hole that was already patched did require that the attacker have email credentials for the attack to work. But, he added, “Even if the attacker has email credentials, it does not mean he had access to the network or the computer. Any normal organization has to assume that some of its employees’ credentials are out by definition.” After all, he pointed out, “If adversaries could execute code in the network by merely having email credentials, we would have 1000% more cases of ransomware compromise and we wouldn’t need initial access brokers.” The risk is still there Of far greater concern, Gorelik said, is that this flaw may indicate the existence of similar zero-click holes that Microsoft has yet to patch. “There are at least two more confirmed CVEs that have yet to be patched, (both of) which lead to full NTLM [Network Trust Level Manager] compromise, so the risk is still there,” Gorelik told CSO Online on Wednesday. The hole, which Microsoft has dubbed CVE-2024-38173, allows any email malware to be activated without the recipient opening the message, courtesy of Outlook’s popular email preview function. But even for those who are not using mail preview, the malware is still likely to be activated, as most corporate employees would likely open those messages. They know to not open an unknown attachment or click on an unexpected link, but this attack methodology requires neither of those actions. “The discovery of CVE-2024-38173 highlights a critical flaw in the form-based architecture of Outlook, where an attacker with access to an account can craft and propagate a malicious form that evades detection due to a faulty deny list implementation,” Gorelik said. Form security at fault But Gorelik stressed that Tuesday’s patch does not likely resolve the vulnerability. “This vulnerability is the third in a series, indicating a persistent issue with Microsoft’s handling of form security. To mitigate the risk of exploitation, enterprises should enforce Kerberos authentication by default and block NTLM where possible,” he said. “Additionally, hardening endpoints and restricting certain protocols, such as SMB [server message block], are crucial steps.” The problem with the remaining holes is that they all involve means of bypassing the Microsoft deny list, and to therefore allow a custom form to automatically execute, Gorelik explained. He suggested blocking all SMB outbound permissions as well as strictly enforcing SMB signing. One strategy to defend against the issues, he said, is to leverage AMTD, which is a concept from Gartner called Automated Moving Target Defense, in which system configurations, network characteristics, or software are dynamically modified to disrupt attackers’ efforts to discover and exploit vulnerabilities. It may get worse The NTML matter is something that Microsoft has wrestled with before. And in its blog post, Morphisec offered ways that these problems could get much worse. It said that the holes leveraged “techniques to hijack and leak NTLM. Both vulnerabilities are critical, as attackers could theoretically chain them and build a full attack chain allowing the adversary complete control of the system without the need for prior authentication.” This story has been updated with a clarification that the patched flaw required the attacker to have email credentials. Related content news Reveal of Chinese-controlled botnet is another warning to CISOs to keep up with asset and patch management Botnet has up to 260,000 compromised routers, firewalls, IP cameras, and more, says report from Five Eyes countries. By Howard Solomon Sep 19, 2024 6 mins Botnets Threat and Vulnerability Management Vulnerabilities opinion Preparing for the next big cyber threat The chair of OT-ISAC Executive Committee outlines how to build a robust cyber resilience strategy to protect against ransomware, data breaches and emerging AI-powered attacks. By Steven Sim, Chair, Executive Committee, OT-ISAC Sep 17, 2024 6 mins Encryption Threat and Vulnerability Management Risk Management news Newly patched Ivanti CSA flaw under active exploitation The Cloud Service Appliance command injection vulnerability — patched as part of the final update for end-of-life CSA version 4.6 — has been attacked in the wild, Ivanti confirms. By Lucian Constantin Sep 13, 2024 4 mins Vulnerabilities news Microsoft warns of bug reversing updates on old Windows 10, patches critical flaws Rated 9.8 out of 10 in severity (CVE-2024-43491), the bug affects devices running Windows 10 version 1507. By Gyana Swain Sep 11, 2024 3 mins Windows Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe