Severe warning suddenly issued for 500 million users
Microsoft updates have been making headlines this month, with multiple Windows vulnerabilities (1,2) appearing on the U.S. government’s list of vulnerabilities known to have been exploited in the wild. Now, a new report strongly suggests that 500 million Outlook users may be at the same risk due to “a significant… zero-click remote code execution (RCE) vulnerability affecting most Microsoft Outlook applications.”
Microsoft has advised users to update their software, warning that “exploitation is more likely,” despite no exploits having been detected in the wild. The team at Morphisec, which reported the issue to Microsoft, goes further. “Given the broader implications of this vulnerability,” they say, “particularly the zero-click vector for trusted senders and the potential for much broader impact, we have asked Microsoft to reassess the severity and label it as ‘Critical.’”
The researchers warn that the vulnerability “affects the majority of Microsoft Outlook applications,” and nothing in Microsoft’s own release suggests otherwise. These are applications used by most large enterprises, not to mention the hundreds of millions of Outlook mail users. The team says this RCE is complex, but “coupling this vulnerability with another could potentially simplify the attack surface.” The threat from an Outlook exploit targeting enterprises is clearly ransomware.
CVE-2024-3802 was patched as part of Microsoft’s pushy July security update, which Morphisec says it welcomes. “Given its zero-click nature (for trusted senders) and lack of authentication requirements, CVE-2024-38021 poses a serious risk.”
The range of threats, they say, includes: “attackers are abusing[ing] This vulnerability allows unauthorized access, arbitrary code execution, and significant damage without any user interaction. The lack of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation.”
The repeated reference to “trusted senders” in this alert is important. This vulnerability only presents a zero-click threat when an email is received from a trusted source. If the sender is unknown, the user must click to execute. That said, if the problem for an attacker now is spoofing emails from trusted sources, that’s a very low bar in today’s industrial-strength world of corporate email compromise.
A Microsoft spokesperson told me, “We are very grateful to Morphisec for their investigation and for responsibly reporting it through a coordinated vulnerability disclosure. Customers who have installed the update are already protected.”
As is typical with these kinds of disclosures, few technical details are released until most users have had a chance to patch their software. Those details are coming soon, though. Morphisec says it discovered the vulnerability through “extensive fuzzing and reverse engineering of the Microsoft Outlook codebase,” and will share more of its findings with the security community at next month’s Def Con 32 in Las Vegas in a session interestingly titled “Outlook Unleashing RCE Chaos.”