The Russian service from BI.ZONE worked to protect against a new Microsoft Outlook vulnerability

Short description

A software bug in MS Outlook, designated CVE-2023-23397, was discovered in March 2023. Experts rated it 9.8 out of 10 on the CVSS scale, and the attack works by sending a specially crafted calendar event or task in an email containing a link to a UNC path controlled by the attacker, which contacts an illegitimate server and requires NTLM authentication. Russian cloud-based e-mail protection service BI.ZONE CESP has developed an add-on that checks emails and their attachments before they reach the user, providing protection against this vulnerability. Microsoft has also released a special update, but not all users in Russia can access it.

The Russian service from BI.ZONE worked to protect against a new Microsoft Outlook vulnerability

In March 2023, it became known about a software bug in MS Outlook – a critical vulnerability designated CVE-2023-23397. Experts rated it 9.8 out of 10 on the CVSS scale. In the press service of cloud-based e-mail protection service BI.ZONE CESP, Habra was informed about the development of an add-on that allows you to cope with this problem, and described the stages of an attack using the vulnerability.

The attacker sends an email that contains a specially crafted calendar event or task. The user does not need to open the message, it is enough that Microsoft Outlook is running on the computer. As described by the BI.ZONE team, the attack is carried out in the following way.

  • A user receives an email with a calendar event or task that links to a UNC path controlled by the attacker. The value is specified in the parameter PidLidReminderFileParameter — it is responsible for the location of the file and should be played by the Microsoft Outlook client when a calendar event or task reminder is triggered.

  • Even if the user does not confirm participation in the event or accept the task, the victim’s Microsoft Outlook contacts the illegitimate server.

  • The illegitimate server requires NTLM authentication.

  • Microsoft Outlook sends the first NTLM packet with the victim’s name and general information (all in Base64).

  • Fraudsters receive authentication credentials.

That is, the attackers generate an illegitimate file with an extension .msgwhere the following parameters and their values ​​are indicated:

  • PidLidReminderOverride = true; — the ability to set preferences for a custom sound file.

  • PidLidReminderFileParameter = ""; – A value indicating the path to the remote cheater server.

The BI.ZONE CESP team has developed an application that checks emails and their attachments before they reach the user. The update has already been automatically installed on all service clients, so attackers will not be able to compromise their e-mail.

“When we first learned about the vulnerability in Microsoft’s mail client, we immediately assessed how much damage it could cause. MS Outlook is not officially updated in our country, and therefore, such an error in the software poses a threat specifically to Russian users. The BI.ZONE CESP team quickly created filtering rules that protect our customers from this vulnerability,” said Muslim Medzhlumov, Director of Products and Technologies at BI.ZONE.

Microsoft has also released a special update that provides protection against this attack. But not all users can use it, because officially Microsoft Outlook updates are not available in Russia.

Related posts