Call it a patch for a broken patch.

Microsoft's May 2023 security update includes a patch for a vulnerability that allows attackers to easily bypass a fix the company issued in March for a critical privilege-escalation bug in Outlook that attackers have already exploited.

That bug, tracked as CVE-2023-23397, allows attackers a way to steal a user's password hash by coercing the victim's Microsoft Outlook client to connect to an attacker-controlled server. Microsoft, at the time, addressed the issue with a patch that essentially prevented the Outlook client from making such connections.

But a researcher from Akamai examining the fix found another issue in a related Internet Explorer component that allowed him to bypass the patch altogether — by adding just a single character to it.

Microsoft assigned a separate identifier for the new bug (CVE-2023-29324) and issued a patch for it in this month's Patch Tuesday batch.

In its vulnerability release notes, Microsoft described the CVE-2023-29324 as a bug that allows attackers to craft a malicious URL that could evade the zone checks the company had implemented in the patch for the March flaw.

This could result in "a limited loss of integrity and availability of the victim machine," Microsoft said. The company assessed the bug to be of moderate severity even though it also described it as one that attackers are more likely to exploit.

Microsoft is advising organizations to implement both the March patch for CVE-2023-23397 and the May patch for CVE-2023-29324 to be fully protected.

Dangerous Outlook Vulnerability

CVE-2023-29324 is a remotely exploitable, zero-click vulnerability that renders the patch for the original Outlook vulnerability useless, researchers at Akamai say.

"The vulnerability is easily triggered, as [it] doesn't require any special expertise," says Ben Barnea, the researcher at Akamai who discovered the new bug. "In fact, there are many PoCs available on the Internet for the original Outlook vulnerability, and they can be easily adapted to use the new bypass."

The original Outlook flaw, CVE-2023-23397, is a bug that basically allows an unauthenticated attacker to steal a user's NTLM credentials — or password hash — and use them to authenticate to other services. Attackers can exploit the flaw by sending the victim a specially crafted email that triggers automatically when the Outlook client retrieves and processes the email — and before the user has even viewed it in the Preview Pane.

Attackers can use the vulnerability to force a connection from the victim's Outlook client to an attacker-controlled server so they could steal the victims NTLM hash. The bug affects all supported Windows versions.

Abusing Outlook's Custom Notification Sound

Barnea's analysis of the bug showed it stemmed from the manner in which Outlook handles emails containing a reminder with a custom notification sound.

The bug allows an attacker to specify what is known as a UNC path that would cause the Outlook client to retrieve the sound file from any SMB server including an attacker controller one. A Universal Naming Convention (UNC) naming path basically provides a standard way to locate and access shared resources on a network such as files, folders, and printers.

Microsoft addressed the issue by ensuring the relevant Outlook code calls a Windows API function (called MapUrlToZone) that verifies the security zone of a given URL. Security zones in Windows can include local machine zone, intranet zone, and trusted zones. The patch ensures that if the path to the sound file pointed to an Internet URL, the default reminder sound from a local security zone is used instead of the custom audio sound, Akamai said.

Barnea found that by adding a single '\' to the UNC path, an attacker could create a URL that MapUrlToZone would assess as belonging in the local security zone, while also allowing the custom audio file to be downloaded from an external SMB server.

"MapUrlToZone is problematic here. It's used as a security measure, but the function itself contained a bug," Barnea says.

The patch for the original Outlook vulnerability (CVE-2023-23397) used a function that's supposed to parse a path and return whether it's local or remote.

"This addition was meant to prevent an outgoing connection from Outlook to remote servers to fetch a notification sound file," Barnea says. "We found a specific path for which the function incorrectly returns a wrong verdict — 'local' instead of 'remote.' This allows us to 'fool' the function and use this path to exploit the original Outlook vulnerability."

"Remove" It

Barnea says the original Outlook vulnerability and the subsequent bypass flaw that Akamai discovered are the only two instances the company knows of that targeted the custom reminder sound feature in Outlook. However, for attackers the feature presents an interesting surface for remote, unauthenticated attacks, he says. "We believe it should be removed altogether."

Microsoft did not respond immediately to a Dark Reading request for comment on Akamai's claims about the severity of the bug and the threat it presents.