Microsoft Outlook Faced Critical Zero-Click RCE Vulnerability
Security researchers have uncovered a critical vulnerability, CVE-2024-38021, affecting most Microsoft Outlook applications.
This zero-click remote code execution (RCE) vulnerability, now patched by Microsoft, did not require any authentication, setting it apart from the previously discovered CVE-2024-30103, which required at least an NTLM token.
If exploited, CVE-2024-38021 could lead to data breaches, unauthorized access and other malicious activities. Microsoft has rated this vulnerability as “Important” and noted a distinction between trusted and untrusted senders.
For trusted senders, the vulnerability is zero-click, but it requires one-click user interaction for untrusted senders.
Morphisec, who discovered the flaw and published an advisory about it on July 9, has urged Microsoft to reclassify the vulnerability as “Critical” to reflect the higher estimated risk and ensure adequate mitigation efforts.
The security firm agreed with Microsoft that this RCE is more complex than CVE-2024-30103, making immediate exploitation less likely. However, combining it with another vulnerability could simplify attacks.
The timeline of events began on April 21, 2024, when Morphisec reported the vulnerability to Microsoft. It was confirmed on April 26, 2024, and patched by Microsoft on July 9, 2024, as part of its Patch Tuesday updates.
To mitigate the risk, it is crucial to update all Microsoft Outlook and Office applications with the latest patches. Additionally, implementing robust email security measures, such as disabling automatic email previews and educating users about the risks of opening emails from unknown sources, is essential.
Additionally, Morphisec said that ensuring comprehensive coverage across the security stack with EDR and Automated Moving Target Defense (AMTD) will further reduce risks and provide endpoint assurance against known and unknown attacks.