“There are at least two confirmed CVEs that have not been patched, (both) leading to full NTLM. [Network Trust Level Manager] compromise, so the risk is still there,” said Gorelik CSO online on Wednesday.
The hole, which Microsoft has named CVE-2024-38173, allows any email malware to run without the recipient opening the message, courtesy of Outlook’s email preview. But even for those who don’t use mail preview, malware can still work, since most of the company’s employees are likely to open those messages. They know they shouldn’t open an unknown attachment or click an unexpected link, but this attack method doesn’t require those actions.
“The discovery of CVE-2024-38173 highlights a critical flaw in Outlook’s form-based architecture, where an attacker with access to an account can craft and distribute a malicious form that evades detection due to the use of a flawed deny list,” Gorelik said. said.
Source link