Thursday, May 30, 2024

Micropatch Released for Windows Authentication Elevation of Privilege Vulnerability (CVE-2023-36047)



We have just released a micropatch for CVE-2023-36047, a local privilege escalation vulnerability found by Filip Dragović in the way Windows handle files when a user changes their account picture. Filip discovered that on Windows 11, when you change your account picture, this picture is copied to a destination folder by a privileged process (the "User Manager" service). Since this folder is under user's control, they can set up symbolic links to "redirect" the copying to an arbitrary location. This allowed a local unprivileged attacker to copy a malicious DLL to a folder like C:\Windows\System32, where they would normally not be able to create files.

Adding a malicious DLL file to a system folder can lead to execution of attacker's code with the identity of Local System.

Filip published a POC for this issue, which allowed us to create a micropatch.  

 

Our Micropatch

We patched this issue in the same way Microsoft did, by impersonating the calling user instead of allowing to execute the copy operation as Local System. Note that Microsoft's fix is somewhat broken  as changing one's profile picture now results in an error being displayed to the user. Our patch reproduces this behavior as well.

Let's see our patch in action.

With 0patch disabled, running Filip's POC and changing account picture to a new image (which is actually a DLL file) results in such DLL being created in C:\Windows.

With 0patch enabled, however, doing the same results in an "Account picture error" (which also happens on patched Windows 11) and no DLL created in C:\Windows.



Micropatch Availability

Micropatch was only written for Windows 11 v21H2 with all available Windows Updates installed. Even though Microsoft's advisory lists many Windows versions as affected, including some that we have security-adopted, we were unable to reproduce this on these versions. Namely, the entire process of changing the account picture works differently there, and even on Windows 11 v21H2 it works differently than on newer Windows 11 versions. The latter is also the reason why CVE-2024-21447, another vulnerability discovered by Filip in the same code, does not affect Windows 11 v21H2.

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Filip Dragović for sharing their analysis and POC, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

 

Thursday, April 25, 2024

Micropatches Released for Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2023-35628)

 

December 2023 Windows Updates brought a patch for CVE-2023-35628, a memory corruption vulnerability that could potentially lead to remote code execution when an application on user's computer tried to access a URL provided by an attacker.

Security researcher  Ben Barnea of Akamai, who found this vulnerability and reported it to Microsoft, wrote a detailed article and published a simple and effective POC. These allowed us to reproduce the issue and create a micropatch for affected legacy Windows systems, which are no longer receiving security updates from Microsoft. 


The Vulnerability

The vulnerability resides inside the CrackUrlFile function in iertutil.dll. In July 2023, Microsoft added some code to this function that introduced the vulnerability, whereby a heap free operation is made on an invalid pointer when the provided URL is properly formatted as described in Ben's article.

CrackUrlFile is a fairly generic function and can be used by various processes and applications. Ben demonstrated the vulnerability with a simple .lnk file, which immediately crashes Windows Explorer when the directory with such file is displayed to the user. His article also mentions a possibility of triggering the vulnerability through an email message shown in Outlook, and Microsoft's advisory adds an Instant Messenger message as a possible attack vector.


Our Micropatch

We patched this issue in the same way Microsoft did, by replacing the flawed code that changed the pointer to the URL with corrected code that doesn't.

Let's see our patch in action. The video below first shows an empty Windows Event Log and a malicious .lnk file in the Downloads folder pointing to file://./UNC/C:/Akamai.com/file.wav. (Note that displaying this .lnk file does not crash Windows Explorer because 0patch is enabled and the vulnerability already patched by it.)

Then, 0patch is disabled, which un-applies all 0patch micropatches from running processes, including the micropatch for CVE-2023-35628 from explorer.exe process. Opening the Downloads folder leads to immediate crashing of explorer.exe without any other user interaction as the process tries to determine an icon for the .lnk file, leading to the "malicious" URL being processed by vulnerable CrackUrlFile function.

Finally, 0patch is re-enabled, and the malicious .lnk file is unable to crash Windows Explorer because the vulnerability was removed from the process.



Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows Server 2012 R2 - fully updated with no ESU
 
Our patches only cover Windows 11 21H2 and Windows Server 2012 R2, as other systems either received official patches in December 2023 or don't even have the vulnerability that was only introduced in July of 2023. Even though Microsoft also listed Windows Server 2012 as affected, we couldn't reproduce the issue on this system, and could find no traces of vulnerable code there either.
 
Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank  Ben Barnea of Akamai for sharing their analysis and POC, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

 

Wednesday, April 24, 2024

Micropatches Released for Windows Workstation and Server Service Elevation of Privilege Vulnerability (CVE-2022-38034, CVE-2022-38045, No CVE)

 

 

October 2022 Windows Update brought fixes for two interesting vulnerabilities, CVE-2022-38034 and CVE-2022-38045. They allowed a remote attacker to access various "local-only" RPC functions in Windows Workstation and Windows Server services respectively, bypassing these services' RPC security callbacks. These vulnerabilities were found by Ben Barnea and Stiv Kupchik of Akamai who published a detailed article and provided a proof-of-concept tool.

We missed this publication back in 2022 (probably being busy patching some other vulnerabilities), but once we found it we confirmed that some of the legacy Windows versions that we had security-adopted were affected and decided to provide patches for them.

 

The Vulnerability

The vulnerability stems from the fact that older Windows systems, but also current Windows systems with less than 3.5GB of RAM, pack two or more services into the same svchost.exe process. Apparently this can be a problem; in our case, it enables both Workstation and Server Service - which normally don't accept authentication requests - to accept authentication requests when bundled up with another service that does. When that happens, the previously (remotely) inaccessible functions from these services become remotely accessible because successful authentication gets cached and is subsequently looked up without additional security checks.

Microsoft's Patch

Microsoft's patch effectively disabled said caching for both services. Patched versions of wkssvc.dll and srvsvc.dll contain updated flags that are passed to the RpcServerRegisterIfEx function when these service are initialized. The flags that were previously 0x11 (RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH | RPC_IF_AUTOLISTEN) have been replaced with 0x91 (RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH | RPC_IF_AUTOLISTEN | RPC_IF_SEC_CACHE_PER_PROC).


Our Micropatch

We could patch these vulnerabilities in wkssvc.dll and srvsvc.dll in exactly the same way Microsoft did, but that would require users to restart Workstation and Server services for the modified flags to kick in. (Remember that Windows updates make you restart the computer anyway, but we have higher standards than that and want our patches to come in effect without a restart.)

Therefore, we decided to place our patches in rpcrt4.dll, which gets loaded in all RPC server processes and manages the cache and security callbacks for every Windows RPC interface. Our patch sits in the RPC_INTERFACE::DoSyncSecurityCallback function that processes the cached values and decides whether to call the security callback or use the cached result. It first checks if it's running in the Workstation or Server Service process, and if so, simply forces the security callback.

Here's the source code of our micropatch.



;XX-1699
MODULE_PATH "..\AffectedModules\rpcrt4.dll_10.0.19041.1288_Win10-2004_64-bit_u2021-12\rpcrt4.dll"
PATCH_ID 1736
PATCH_FORMAT_VER 2
VULN_ID 7814
PLATFORM win64
       
patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x96ae2
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT rpcrt4.dll!0x4e0b4,kernel32.dll!GetModuleHandleW
           
    code_start
        
        call MODNAME1
        db __utf16__('wkssvc.dll'),0,0  ;load "wkssvc.dll" string
    MODNAME1:
        pop rcx                         ;pop the string into the first arg
        sub rsp, 0x20                   ;create the shadowspace
        call PIT_GetModuleHandleW       ;call GetModuleHandleW to check if wkssvc.dll is
                                        ;loaded in the current process
        add rsp, 0x20                   ;delete the shadowspace
        cmp rax, 0x0                    ;check if the call succeeded   
        jne PIT_0x4e0b4                 ;if success, we are in the Workstation Service process,
                                        ;so we block security callback caching by simulating
                                        ;the caching flag being disabled    
        call MODNAME2
        db __utf16__('srvsvc.dll'),0,0  ;load "srvsvc.dll" string
    MODNAME2:
        pop rcx                         ;pop the string into the first arg
        sub rsp, 0x20                   ;create the shadowspace
        call PIT_GetModuleHandleW       ;call GetModuleHandleW to check if 
srvsvc.dll is
                                        ;loaded in the current process
        add rsp, 0x20                   ;delete the shadowspace
        cmp rax, 0x0                    ;check if the call succeeded   
        jne PIT_0x4e0b4                 ;if success, we are in the Server Service process,
                                        ;so we block security callback caching by simulating
                                        ;the caching flag being disabled
    
    code_end
patchlet_end


 

While working on this patch we noticed that the Workstation Service security callback behaved differently on different Windows versions. On Windows 10 and later, the security callback blocks functions with numbers ("opnums") between 8 and 11 from being executed remotely, which is exactly what CVE-2022-38034 bypasses. However, on older Windows versions like Windows 7 up to ESU 2 (2nd year of Extended Security Updates), these functions are not blocked from remote access at all. For our CVE-2022-38034 patch to even make sense on these older versions of Windows, we therefore first needed to add the missing security callback checks to wkssvc.dll.

We were curious about the origin of these security checks and did some digging across different wkssvc.dll versions. We found they were added to the Workstation Service some time before April 2021 on Windows 10, and sometime after January 2022 on Windows 7, but we were unable to find any CVE references associated with them. Our best guess is that they were added silently, first on Windows 10 and almost a year later also on Windows 7.

Our patch for this CVE-less vulnerability behaves the same as Microsoft's. First, we get the caller's binding data,  then we check the opnum of the called function and determine whether the user is local or not. If the called opnum is between 8 and 11 and the caller is not local, we fail the call with "access denied" error. 


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 10 v2004 - fully updated
  2. Windows 10 v1909 - fully updated
  3. Windows 10 v1809 - fully updated
  4. Windows 10 v1803 - fully updated
  5. Windows 7 - fully updated with no ESU, ESU 1 or ESU 2
  6. Windows Server 2008 R2 - fully updated with no ESU, ESU 1 or ESU 2
     
      
    Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

    Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

    If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

    We would like to thank Ben Barnea and Stiv Kupchik of Akamai for sharing their analysis and proof-of-concept, which made it possible for us to create micropatches for these issues.

    To learn more about 0patch, please visit our Help Center.

     

    Thursday, April 4, 2024

    Micropatches for Windows Local Session Manager Elevation of Privilege (CVE-2023-21771)

     


    In December of 2022, Ben Barnea of Akamai posted an X thread about a bug they had found in Windows Local Service Manager (LSM) that can lead to local privilege escalation from regular user account to Local System. Ben discovered that code in LSM was missing a return value check after a call is made to RpcImpersonateClient to impersonate the caller: a failed impersonation attempt would therefore keep the code running as Local System.

    After trying out several ideas to make the RpcImpersonateClient function fail, Ben succeeded with an interesting race condition trick, changing the caller's token after the call has been accepted by LSM, but before the impersonation is attempted.

    Microsoft assigned this issue CVE-2023-21771, and issued a fix for it with January 2023 Windows Updates. 

    Ben's X thread and proof of concept allowed us to reproduce the issue and create a micropatch for users of legacy Windows systems, which are no longer receiving security updates from Microsoft. 


    Microsoft's Patch

    Microsoft patched this issue by adding a check for the return value of RpcImpersonateClient call, and skipping the processing if the call fails.


    Our Micropatch

    Our patch is logically identical to Microsoft's:



    ;XX-1665
    MODULE_PATH "..\AffectedModules\lsm.dll_10.0.19041.1266_Win10-2004_64-bit_u2021-12\lsm.dll"
    PATCH_ID 1725
    PATCH_FORMAT_VER 2
    VULN_ID 7813
    PLATFORM win64
           
    patchlet_start
        PATCHLET_ID 1
        PATCHLET_TYPE 2
        PATCHLET_OFFSET 0x58a63
        N_ORIGINALBYTES 5
        JUMPOVERBYTES 0
        PIT lsm.dll!0x58a7a
        
        code_start
            
            cmp rax, 0x0        ;check if RpcImpersonateClient returned 0 for success
            jne PIT_0x58a7a     ;if not, jump to the error block
           
        code_end
    patchlet_end

     

    Micropatch Availability

    Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

    1. Windows 10 v21H1 - fully updated
    2. Windows 10 v2004 - fully updated
     
    Older Windows 10 versions, Windows 7 and Server 2008 R2 were not affected by this issue. Newer Windows 10 versions received an official patch from Microsoft.
      
    Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

    Vulnerabilities like this get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

    If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

    We would like to thank  Ben Barnea of Akamai for sharing their analysis, which made it possible for us to create a micropatch for this issue.

    To learn more about 0patch, please visit our Help Center.

     

    Tuesday, April 2, 2024

    Micropatches for Leaking NTLM Credentials Through Windows Themes (CVE-2024-21320)

     


    January 2024 Windows Updates brought a patch for CVE-2024-21320, a privilege escalation vulnerability in Windows. The vulnerability allows a remote attacker to acquire user's NTLM credentials when the victim simply downloads a Theme file or views such file in a network folder.

    Security researcher Tomer Peled of Akamai discovered this issue, reported it to Microsoft, and later published a detailed article along with a proof of concept. These allowed us to reproduce the issue and create a micropatch for users of legacy Windows systems, which are no longer receiving security updates from Microsoft. 


    The Vulnerability

    In short, the Theme file format allows a .theme file to specify two images, BrandImage and Wallpaper, which can also be on a remote network share and which Windows Explorer will automatically try to load when a Theme file is downloaded or displayed in a folder. A malicious Theme file could have these images point to a shared folder on attacker's computer, where user's NTLM credentials would be harvested and used for impersonating the user.

    Note that Theme files are already generally considered "dangerous", and you cannot, for example, receive one as an email attachment through Outlook any more than you cannot receive an attached EXE file. This is for a good reason: a Theme file can specify a malicious screen saver, which is essentially an EXE file, so double-clicking such Theme file would be effectively as dangerous as double-clicking a malicious EXE. The vulnerability at hand, in contrast, is about simply downloading or viewing a Theme file in a folder, which is a much easier thing for an attacker to achieve than getting the user to actually apply a malicious theme.


    Microsoft's Patch

    As Tomer notes in their article, Microsoft patched this bug by implementing a registry value called DisableThumbnailOnNetworkFolder, which controls a security check for both image paths by calling PathIsUNC. In case DisableThumbnailOnNetworkFolder is 1 and PathIsUNC returns true, images are not loaded if located on a shared folder.


    Our Micropatch

    Our patch is logically identical to Microsoft's, only that the decision to block images on network path is hard-coded and not configurable via the registry. The patch consists of two small patchlets located in ThumbnailLoadImage and CFileSource::s_LoadPIDLFromPath functions of themeui.dll, both calling PathIsUNC and preventing the image from loading if its path is on a network share. 



    ;XX-1641
    MODULE_PATH "..\AffectedModules\themeui.dll_6.1.7601.24260_Win7_32-bit_uNoESU\themeui.dll"
    PATCH_ID 1718
    PATCH_FORMAT_VER 2
    VULN_ID 7812
    PLATFORM win32
           
    patchlet_start
        PATCHLET_ID 1
        PATCHLET_TYPE 2
        PATCHLET_OFFSET 0xbb90
        N_ORIGINALBYTES 5
        JUMPOVERBYTES 0
        PIT shlwapi.dll!PathIsUNCW,themeui.dll!0xbc00
        
        code_start
        
            push dword[ebp+0x8]  ;push patch string pointer as first arg
            call PIT_PathIsUNCW  ;call PathIsUNCW to check if the string from
                                 ;the theme file is a UNC path
            cmp eax, 0x0         ;check if the function returned TRUE or FALSE
            jne PIT_0xbc00       ;if TRUE, jump to an error block
           
        code_end
    patchlet_end

    patchlet_start
        PATCHLET_ID 2
        PATCHLET_TYPE 2
        PATCHLET_OFFSET 0x4bb7
        N_ORIGINALBYTES 5
        JUMPOVERBYTES 0
        PIT shlwapi.dll!PathIsUNCW,themeui.dll!0x4c26
        
        code_start
        
            push dword[ebp-0x294] ;push patch string pointer as first arg
            call PIT_PathIsUNCW   ;call PathIsUNCW to check if the string from
                                  ;the theme file is a UNC path
            cmp eax, 0x0          ;check if the function returned TRUE or FALSE
            jne PIT_0x4c26        ;if TRUE, jump to an error block
           
        code_end
    patchlet_end


     

    It is worth noting that neither Microsoft's nor our patch prevents the remote loading of these images in case the user actually opens a Theme file (e.g., by double-clicking on it) in order to apply the theme. While Windows do show a Mark-of-the-Web warning in such case for Theme files originating from the Internet, it would make little sense to add code for preventing NTLM leaks there because a malicious Theme file would probably install a malicious screen saver instead of just leak user's credentials.

    Let's see our micropatch in action. 

    The attacker's computer on the right side of the video is waiting to collect user's NTLM credentials. A Windows user on the left opens the Downloads folder where a malicious Theme file was previously automatically downloaded while they visited attacker's web site. With 0patch disabled, just viewing the Theme file in the Downloads folder results in Windows Explorer trying to load the two images from attacker's computer, resulting in their NTLM credentials being captured there.

    With 0patch enabled, viewing a Theme file no longer results in leaking user's NTLM credentials.



    Micropatch Availability

    Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

    1. Windows 11 v21H1 - fully updated
    2. Windows 10 v20H2 - fully updated
    3. Windows 10 v2004 - fully updated
    4. Windows 10 v1909 - fully updated
    5. Windows 10 v1809 - fully updated
    6. Windows 10 v1803 - fully updated
    7. Windows 7 - no ESU, ESU 1 to 3
    8. Windows Server 2012 - fully updated
    9. Windows Server 2012 R2 - fully updated
    10. Windows Server 2008 - no ESU, ESU 1 to 3
      
    Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

    Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

    If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

    We would like to thank  Tomer Peled of Akamai for sharing their analysis, which made it possible for us to create a micropatch for this issue.

    To learn more about 0patch, please visit our Help Center.

     

    Friday, March 15, 2024

    Micropatches Released for Microsoft Outlook "MonikerLink" Remote Code Execution Vulnerability (CVE-2024-21413)

     


    In February 2024, still-Supported Microsoft Outlook versions got an official patch for CVE-2024-21413, a vulnerability that allowed an attacker to execute arbitrary code on user's computer when the user opened a malicious hyperlink in attacker's email.

    The vulnerability was discovered by Haifei Li of Check Point Research, who also wrote a detailed analysis. Haifei reported it as a bypass for an existing security mechanism, whereby Outlook refuses to open a file from a shared folder on the Internet (which could expose user's NTLM credentials in the process). The bypass works by adding an exclamation mark ("!") and some arbitrary text to the end of the file path, which turns the link into a "Moniker link". When opening moniker links, Windows download the file, open it and attempt to instantiate the COM object referenced by the text following the exclamation mark. An immediate result of this is that an SMB request is automatically sent to the remote (attacker's) server, revealing user's NTLM credentials. An additional risk is that this could lead to arbitrary code execution.

     

    Official Patch

    Microsoft patched this issue by effectively cutting off  "Moniker link" processing for Outlook email hyperlinks. They did this in an unusual way, however. In contrast to their typical approach - changing the source code and rebuilding the executable file -, they ventured deep into "our" territory and hot-patched this issue with an in-memory patch. Hmm, why would they do that?

    The answer lies in the fact that the behavior they wanted to change is implemented in ole32.dll,  but this DLL is being used by many applications and they didn't want to affect them all (some of them may rely on moniker links being processed). So what they did was use their Detours package to replace ole32.dll's  MkParseDisplayName function (the one parsing moniker links) with an essentially empty function - but only in Outlook.


    Our Micropatch

    While still-supported Microsoft Office versions have received the official vendor fix for this vulnerability, Office 2010 and 2013 - which we have security-adopted - are also vulnerable. In order to protect our users, we have created our own micropatch for this vulnerability.

    We could implement a logically identical patch to Microsoft's by patching ole32.dll and checking in the patch if the running process is outlook.exe - but since ole32.dll is a Windows system file, this would require creating a patch for all Windows versions and then porting the patch every time this file is updated by Windows updates in the future. Not ideal.

    Instead, we decided to take a different route. When parsing the hyperlink, Outlook at some point calls the HlinkCreateFromString function, which then calls further into ole32.dll and eventually to MkParseDisplayName, which we wanted to cut off.

    A quick detour (pun intended) of our own here: The HlinkCreateFromString documentation states the following:

    [Never pass strings from a non-trusted source. When creating a hyperlink with HlinkCreateFromString, the pwzTarget parameter is passed to MkParseDisplayNameEx. This call is safe, but the less safe MkParseDisplayName will be called for the string under the following circumstances:

        Not a file or URL string.
        Does not contain a colon or forward slash.
        Less than 256 characters.

    A pwzTarget string of the form "@progid!extra" will instantiate the object registered with the specified progid and, if it implements the IMoniker interface, invoke IMoniker::ParseDisplayName with the "extra" string. A malicious object could use this opportunity to run unexpected code. ]

    This, we believe, is the reason why Microsoft categorized the flaw at hand as "remote code execution."

    Okay, back to our patch. There exists a function very similar to HlinkCreateFromString called HlinkCreateFromMoniker. This function effectively does the same with a moniker as the former does with a string, but without ever calling MkParseDisplayName. Our patch now simply replaces the call to (unsafe) HlinkCreateFromString with a call to (safe) HlinkCreateFromMoniker using a moniker that it first creates from the hyperlink string. To minimize the impact, this is only done for "file://" URLs containing an exclamation mark.


    Micropatch Availability

    The micropatch was written for the following security-adopted versions of Office with all available updates installed:

    1. Microsoft Office 2013
    2. Microsoft Office 2010

    This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

    Vulnerabilities like this one get discovered on a regular basis, and attackers know about them. If you're using Office 2010 or 2013, 0patch will make sure such vulnerabilities won't be exploited on your computers - and you won't even have to know or care about updating.

    If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

    To learn more about 0patch, please visit our Help Center

    We'd like to thank Haifei Li for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

    Friday, February 23, 2024

    Micropatches Released for Microsoft Outlook Information Disclosure Vulnerability (CVE-2023-35636)

     


     

    In December 2023, still-Supported Microsoft Outlook versions got an official patch for CVE-2023-35636, a vulnerability that allowed an attacker to coerce user's Outlook to authenticate to attacker's remote server, revealing user's NTLM hash in the process.

    The vulnerability was discovered by Varonis researcher Dolev Taler, who wrote up a detailed article about it. In summary, a calendar file attached to an email can point to any URL, including a UNC path on a remote computer - and when the user tried to open such file, their computer would connect to the remote network share and, upon request, authenticate to it and reveal user's NTLM hash.

    Microsoft's December patch changed Outlook's behavior such that whenever an ICS (calendar) file is opened from a specified location (instead of as an attachment), Outlook would display a security warning alerting the user about the potentially harmful content and asking their approval to continue.

    While still-supported Microsoft Office versions have received the official vendor fix for this vulnerability, Office 2010 and 2013 - which we have security-adopted - are also vulnerable. In order to protect our users, we have created our own micropatch for this vulnerability.

    Our patch is logically identical to Microsoft's.


    Micropatch Availability

    The micropatch was written for the following security-adopted versions of Office with all available updates installed:

    1. Microsoft Office 2013
    2. Microsoft Office 2010

    This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

    Vulnerabilities like this one get discovered on a regular basis, and attackers know about them. If you're using Office 2010 or 2013, 0patch will make sure such vulnerabilities won't be exploited on your computers - and you won't even have to know or care about updating.

    If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

    To learn more about 0patch, please visit our Help Center

    We'd like to thank Dolev Taler for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.