Researchers at Morphisec have uncovered critical technical details about the recently discovered zero-click remote code execution (RCE) vulnerability in Microsoft Outlook, identified as CVE-2024-38021. This vulnerability poses a significant security risk, allowing potential attackers to execute arbitrary code without user authentication.
The vulnerability exploits a flaw in how Outlook handles composite monikers in image tag URLs. Unlike the previous CVE-2024-21413, which involved hyperlink parsing, CVE-2024-38021 bypasses Microsoft’s initial patch by targeting the mso30win32client!HrPmonFromUrl method.
Outlook link Parsing
This method, responsible for parsing URLs within image tags, does not set the BlockMkParseDisplayNameOnCurrentThread flag. Consequently, it allows the processing of composite monikers, triggering the unsafe MkParseDisplayName function.
The attack involves passing a composite moniker in an image tag URL. This bypasses the security measures implemented in the hyperlink creation function, leading to potential remote code execution and local NTLM credential leaks.
Exploit Flow
Microsoft’s Patch
Microsoft’s patch for CVE-2024-38021 follows a similar approach to the previous vulnerability, utilizing the BlockMkParseDisplayNameOnCurrentThread flag in the HrPmonFromUrl function. This prevents the invocation of the vulnerable MkParseDisplayName function for composite monikers in image tag URLs.
However, researchers discovered that passing a simple file moniker still results in local NTLM credential leaks, indicating that the patch does not fully address all potential security risks.
Microsoft has assessed this vulnerability with an “Important” severity rating, differentiating between trusted and untrusted senders. For trusted senders, the vulnerability is zero-click, while untrusted senders require one-click user interaction.
Given the broader implications and potential for widespread impact, especially its zero-click nature for trusted senders, Morphisec has requested Microsoft to reassess the severity and label it as “Critical”.
Organizations are strongly advised to:
-
Promptly update all Microsoft Outlook and Office applications.
-
Implement robust email security measures, including disabling automatic email previews.
-
Educate users about the risks of opening emails from unknown sources.
Additionally, implementing Automated Moving Target Defense (AMTD) techniques can significantly reduce the risk of exploitation from vulnerabilities like CVE-2024-38021.
