Microsoft Outlook Vulnerability Could Be 2023's 'It' Bug

Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means that almost any business user could be a victim.

2 Min Read
laptop opened to microsoft outlook login page
Alamy

Microsoft recently patched a zero-day vulnerability under active exploit in Microsoft Outlook, identified as CVE-2023-23397, which could enable an attacker to perform a privilege escalation, accessing the victim's Net-NTLMv2 challenge-response authentication hash and impersonating the user.

Now it's becoming clear that CVE-2023-23397 is dangerous enough to become the most far-reaching bug of the year, security researchers are warning. Since disclosure just three days ago, more proof-of-concept (PoC) exploits have sprung onto the scene, which are sure to translate into snowballing criminal interest — helped along by the fact that no user interaction is required for exploitation.

If patching isn't possible quickly, there are some options for addressing the issue, noted below.

Easy Exploit: No User Interaction Necessary

The vulnerability allows the attackers to steal NTLM authentication hashes by sending malicious Outlook notes or tasks to the victim. These trigger the exploit automatically when they're retrieved and processed by the Outlook client, which could lead to exploitation before the email is viewed in the Preview Pane. In other words, a target doesn’t actually have to open the email to fall victim to an attack.

Discovered by researchers from Ukraine's Computer Emergency Response Team (CERT) and by one of Microsoft’s own researchers — and patched earlier this week as part of Microsoft's Patch Tuesday update — the bug affects those running an Exchange server and the Outlook for Windows desktop client. Outlook for Android, iOS, Mac, and Outlook for Web (OWA) are unaffected.

Related:8 Proactive Cybersecurity Technologies to Watch in 2023

"External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control," says Mark Stamford, founder and CEO of OccamSec. This will leak the Net-NTLMv2 hash of the victim to the attacker, who can then relay this to another service and authenticate as the victim, he explains.

A Range of Potential Exploit Impacts

Nick Ascoli, founder and CEO of Foretrace, points out while Microsoft didn't mention how the criminals were using it within their attacks, it allows the reuse of the stolen authentication to connect to other computers over the network for lateral movement.

Continue reading this article on Dark Reading

Read more about:

MicrosoftDark Reading

About the Authors

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Nathan Eddy

Nathan Eddy is a freelance writer for ITProToday and covers various IT trends and topics across wide variety of industries. A graduate of Northwestern University’s Medill School of Journalism, he is also a documentary filmmaker specializing in architecture and urban planning. He currently lives in Berlin, Germany.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like