Summary: A critical vulnerability, CVE-2024-38021, has been discovered in Microsoft Outlook that could lead to data breaches and unauthorized access. The vulnerability is now patched by Microsoft.
Threat Actor: N/A
Victim: Microsoft Outlook
Key Point :
- A critical vulnerability, CVE-2024-38021, has been found in Microsoft Outlook.
- The vulnerability is a zero-click remote code execution (RCE) vulnerability that did not require any authentication.
- If exploited, the vulnerability could result in data breaches, unauthorized access, and other malicious activities.
- Microsoft has rated the vulnerability as “Important” and has distinguished between trusted and untrusted senders.
- For trusted senders, the vulnerability is zero-click, while for untrusted senders, it requires one-click user interaction.
- Morphisec, the security firm that discovered the flaw, has urged Microsoft to reclassify the vulnerability as “Critical” to reflect the higher estimated risk.
Security researchers have uncovered a critical vulnerability, CVE-2024-38021, affecting most Microsoft Outlook applications.
This zero-click remote code execution (RCE) vulnerability, now patched by Microsoft, did not require any authentication, setting it apart from the previously discovered CVE-2024-30103, which required at least an NTLM token.
If exploited, CVE-2024-38021 could lead to data breaches, unauthorized access and other malicious activities. Microsoft has rated this vulnerability as “Important” and noted a distinction between trusted and untrusted senders.
For trusted senders, the vulnerability is zero-click, but it requires one-click user interaction for untrusted senders.
Morphisec, who discovered the flaw and published an advisory about it on July 9, has urged Microsoft to reclassify the vulnerability as “Critical” to reflect the higher estimated risk and ensure adequate mitigation efforts.
The security firm agreed with Microsoft that this RCE is more complex than CVE-2024-30103, making immediate exploitation less likely. However, combining it with another vulnerability could simplify attacks.
The timeline of events began on April 21, 2024, when Morphisec reported the vulnerability to Microsoft. It was confirmed on April 26, 2024, and patched by Microsoft on July 9, 2024, as part of its Patch Tuesday updates.
To mitigate the risk, it is crucial to update all Microsoft Outlook and Office applications with the latest patches. Additionally, implementing robust email security measures, such as disabling automatic email previews and educating users about the risks of opening emails from unknown sources, is essential.
Read more about phishing: Report Reveals 341% Rise in Advanced Phishing Attacks
Additionally, Morphisec said that ensuring comprehensive coverage across the security stack with EDR and Automated Moving Target Defense (AMTD) will further reduce risks and provide endpoint assurance against known and unknown attacks.
Image credit: BigTunaOnline / shutterstock.com
Source: https://www.infosecurity-magazine.com/news/microsoft-outlook-zero-click-rce
“An interesting youtube video that may be related to the article above”