Among the huge number of security patches released Tuesday through Microsoft is a nasty flaw in Microsoft’s Outlook email client, which would allow an attacker to gain full access simply by sending an email to the user, even if the recipient decides not to open the message.
If the attack is successful, the end user will have no way of knowing that they have been attacked. “You may not know it. You may not feel anything,” said Michael Gorelik, head of lead generation at Morphisec, the security firm that claims to have discovered the flaw and reported it to Microsoft.
Gorelik, the already-patched flaw required the attacker to have email credentials for the attack to work.
But, he added, “even if the attacker has email credentials, that doesn’t mean they have access to the network or the computer. “Any general organization will have to assume that the qualifications of some of its workers are, by definition, non-existent.
After all, he noted, “if adversaries could simply execute code on the network simply by having email credentials, we would have 1,000% more ransomware compromises and we wouldn’t want upfront middlemen. “
Even more concerning, according to Gorelik, is that this flaw may simply mean the existence of clickless holes that Microsoft has not yet fixed.
“There are at least two other CVEs shown that have yet to be fixed, (both) leading to a full NTLM [Network Trust Level Manager] compromise, so the threat is still there,” Gorelik told CSO Online on Wednesday.
The hole, which Microsoft has dubbed CVE-2024-38173, allows any email malware to be activated without the recipient opening the message, thanks to Outlook’s popular email preview feature. But even for those who don’t use the mail preview, the malware is still very likely to be activated, as most of the company’s workers would likely open those messages. They know not to open an unknown attachment or click on an unexpected link, but this attack method does not require any of those actions.
“The discovery of CVE-2024-38173 highlights a critical flaw in Outlook’s form-based architecture, where an attacker with an account can create and propagate a malicious form that evades detection due to a faulty denylist implementation. ” says Gorelik.
But Gorelik is under pressure that Tuesday’s patch likely won’t fix the vulnerability.
“This vulnerability is the third in a series, indicating a persistent factor in Microsoft’s handling of bureaucratic security. To mitigate the threat of exploitation, organizations enforce Kerberos authentication by default and block NTLM when possible,” he said. “Also, hardening endpoints and restricting certain protocols, such as SMB [server message blocking], are very important steps. “
The challenge with the remaining holes is that they all involve tactics to bypass Microsoft’s deny list and allow a traditional way to run automatically, Gorelik explained. He advised blocking all outgoing SMB permissions as well as strictly enforcing SMB signing.
One strategy to counter those problems, he said, is to leverage AMTD, a Gartner concept called Automated Moving Target Defense, in which formula configurations, network characteristics or software are dynamically changed to disrupt the efforts of attackers to detect and exploit. vulnerabilities.
The NTML challenge is anything Microsoft has faced before. And in his blog post, Morphisec warned tactics that those challenges could get even worse.
He said the holes exploited “techniques to divert and disseminate NTLM. ” Both vulnerabilities are critical, since in theory attackers can simply chain them together and build a complete attack chain that allows the adversary to absolutely use the formula without requiring prior authentication.
This story was updated with an explanation that the patched flaw required the attacker to have email credentials.
Evan Schuman has been covering IT issues for far longer than he’ll ever admit. Founding editor of the retail generation site StorefrontBacktalk, he has been a columnist for CBSNews. com, RetailWeek, Computerworld and eWeek and his signature has made the impression in the headlines. from BusinessWeek, VentureBeat, and Fortune to The New York Times, USA Today, Reuters, The Philadelphia. Inquirer, The Baltimore Sun, The Detroit News, and The Atlanta Journal-Constitution. Evan can be reached at eschuman@thecontentfirm. com and can be followed on twitter. com/eschuman. Look for their blog twice a week.
The perspectives expressed in this blog are those of Evan Schuman and do not necessarily constitute those of IDG Communications, Inc. , its parent, subsidiary, or affiliates.
This study was written from an article about the article published in podigee. com. If you are interested, you can do so with your protection.
External content from podigee. com anzeigen
By clicking on “Externe Inhalte von podigee. com anzeigen”, I will let you know that you will see the Inhalt angezeigt wird. Dadurch können personenbezogene Daten an podigee. com et al. Drittanbieter übermittelt werden. You can find more information in our safety data and in https://www. podigee. com/en/about/privacy.
This article is written for an article based on external articles published on reddit. com. If you are interested, you can do it with your protection.
External content from reddit. com anzeigen
By clicking on “External Inhalte von reddit. com anzeigen”, I will make it clear that you will see the Inhalt angezeigt wird. Dadurch können personenbezogene Daten an reddit. com andere Drittanbieter übermittelt werden. You can obtain more data in our data protection and in https://support. google. com/reddit/answer/2801895?hl=de.