Expert Details New Windows Zero-Click Vulnerability for NTLM Credential Theft

May 10, 2023Ravie LakshmananVulnerabilities / Windows

Cybersecurity researchers have shared details about a security flaw that has now been patched in Windows MSHTML platforms which can be abused to bypass integrity protections on targeted machines.

Vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It is being handled by Microsoft as part of its Patch Tuesday updates for May 2023.

Akamai security researcher Ben Barnea, who found and reported the bug, noted that all versions of Windows were affected, but pointed out Microsoft, Exchange

servers with the March update removed a vulnerable feature.

“Unauthenticated attackers on the internet could use vulnerabilities to force Outlook clients to connect to servers controlled by attackers,” Barnea said in a report shared with The Hacker News.

“This led to NTLM credential theft. This is a no-click vulnerability, meaning it can be triggered without user interaction.”

It’s also worth noting that CVE-2023-29324 is a shortcut for a fix that Microsoft is working on in March 2023 to complete. CVE-2023-23397a critical privilege escalation flaw in Outlook that the company says Russian threat actors have exploited in attacks targeting European entities since April 2022.

Akamai says the problem comes from complicated path handling in Windowsthus allowing threat actors to create malicious URLs that can circumvent internet security zone checks.

“This vulnerability is another example of patch checking leading to new vulnerabilities and shortcuts,” said Barnea. “This is a clickless media parsing attack surface that contains potentially critical memory corruption vulnerabilities.”

To stay fully protected, Microsoft further recommends users to install Internet Explorer Cumulative Updates to address vulnerabilities in the MSHTML platform and script engine.