Key Findings:

– Hyperlink Handling in Outlook: The research demonstrates that “file://” hyperlinks can be manipulated in a certain way which results in a bypass of the Outlook’s security measures such as Protected View.

– The Vulnerability’s Impact: The #MonikerLink bug allows for a wide and serious impact, varying from leaking of local NTLM credential information to  arbitrary code execution. This is due to the misuse of the Component Object Model (COM) on Windows, where Outlook incorrectly parses a specially crafted hyperlink to access COM objects. This process can bypass the Office Protected View, significantly increasing the risk of exploitation for remote code execution without the user’s knowledge.

– Microsoft’s Acknowledgement and CVSS Severity Score: Microsoft has acknowledged the vulnerability, and the flaw has received a CVSS severity score of 9.8 out of 10, underlining its critical nature.

Recent research by Check Point Research has brought to light a significant security vulnerability in Microsoft Outlook, referred to as the #MonikerLink bug. This flaw, thoroughly detailed on the Check Point Research blog post could allow an attacker to execute arbitrary code on the victim’s machine. The #MonikerLink bug specifically exploits the way Outlook processes certain hyperlinks, leading to severe security implications.

It is worth noting that recent CPR’s blog “The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors,” highlights this and other various attack vectors within Outlook, aiming to enhance the industry’s awareness of the security risks posed by the popular email application.

Defense and Mitigation:

The vulnerability has been confirmed on the latest Windows and Microsoft Office Outlook, and Check Point has reported the issue to the Microsoft Security Response Center. While awaiting Microsoft’s response, Check Point has developed detection and protection mechanisms for its customers, safeguarding them ahead of public disclosure.

Check Point Customers Remain Protected

Check Point has developed various protections for our customers as soon as we discovered the security vulnerability internally, Check Point customers were protected many months ahead of this disclosure time. The protections are:

  • Check Point Email Security has deployed protection for customers since October 25, 2023.
  • Check Point IPS developed and deployed a signature named “Microsoft Outlook Malicious Moniker Link Remote Code Execution (CVE-2024-21413)” to detect and protect against this vulnerability, released on November 15, 2023.

Check Point Research continues to monitor the activities for potential attacks exploiting this bug/attacker vector in the wild through our telemetry data.

The Bigger Picture:

The #MonikerLink bug underscores a broader security risk associated with the use of unsafe APIs, such as MkParseDisplayName/MkParseDisplayNameEx, potentially affecting not only Outlook but other software that uses these APIs insecurely. The discovery of this bug in Outlook serves as a call to action for the security and developer communities to identify and rectify similar vulnerabilities in other applications, ensuring the safety of the Windows/COM ecosystem.

The #MonikerLink vulnerability discovered in Microsoft Outlook by Check Point Research highlights a significant security flaw that could have profound implications if exploited. This vulnerability stems from the way Outlook processes specially crafted hyperlinks that utilize the “file://” protocol, followed by a specific path, an exclamation mark, and additional arbitrary characters. Unlike standard hyperlinks that prompt security warnings or error messages when deemed unsafe, these manipulated hyperlinks bypass Outlook’s existing security mechanisms, leading to two primary concerns: the leakage of local NTLM credentials and the potential for arbitrary code execution.

Leakage of Local NTLM Credentials

The vulnerability allows for the leakage of local NTLM credential information, a critical security issue. NTLM (NT LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. When a user clicks on a malicious hyperlink crafted to exploit the #MonikerLink bug, it initiates a connection using the SMB (Server Message Block) protocol to a remote server controlled by the attacker. This process inadvertently sends the user’s NTLM credentials to the attacker’s server, compromising the user’s authentication details without their knowledge. Such information can be used for further attacks, including accessing restricted areas of a network or executing privileged operations under the guise of the compromised user.

Potential for Arbitrary Code Execution

More alarmingly, the #MonikerLink bug opens the door for arbitrary code execution on the victim’s system. This aspect of the vulnerability takes advantage of the Component Object Model (COM) in Windows. By misleading Outlook into processing the malicious hyperlink as a “Moniker Link,” attackers can invoke COM objects and execute code on the victim’s machine remotely. This process does not involve the Protected View mode in Office applications, which is typically a security measure to prevent potentially harmful documents from executing code without user consent. As a result, attackers can bypass this protective layer, running malicious code at the Medium integrity level, which could lead to full system compromise. It should be noted that Microsoft themselves call this issue a Remote Code Execution and gives it the highest possible rating of ‘critical’.

Exploitation Scenarios

If exploited, this vulnerability could enable attackers to perform a range of malicious activities, including but not limited to:

Data Theft: Accessing and exfiltrating sensitive information stored on the victim’s system or within their network.

Malware Installation: Deploying malware, including ransomware, spyware, or keyloggers, to further compromise the victim’s system or to spread across a network.

Privilege Escalation: Utilizing leaked credentials or arbitrary code execution to gain higher privileges on the victim’s system or network, potentially leading to a full system or network takeover.

Identity Theft: Using stolen NTLM credentials to impersonate the victim, conducting fraudulent activities or accessing confidential resources.

 

Conclusion

The #MonikerLink vulnerability poses a critical risk to users of Microsoft Outlook, highlighting the necessity for immediate and effective mitigation strategies. Microsoft’s acknowledgment of the issue and the critical CVSS severity score of 9.8 reflect the seriousness of the threat. Both individual users and organizations are urged to apply any patches or security updates provided by Microsoft, to follow recommended security practices, and to remain vigilant against suspicious hyperlinks and emails. The broader implications of this vulnerability also underscore the importance of secure software development practices and the need for ongoing security research to identify and address such vulnerabilities before they can be exploited.

The discovery of the #MonikerLink bug in Microsoft Outlook highlights a critical security issue that extends beyond Outlook to potentially affect other software. This vulnerability, capable of leaking sensitive information and allowing remote code execution, poses a significant risk to organizational security. The research emphasizes the need for immediate action to mitigate this vulnerability and protect against the security risks it presents.

Read the full technical blog

You may also like