Make sure your Outlook is patched!
Researchers Reveal How Vulnerability in Outlook Could Leak Your NTLM Passwords
A now-patched vulnerability in Microsoft Outlook can be used by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file.
The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was fixed by the tech giant as part of the December 2023 Patch Tuesday updates.
In an email attack scenario, an attacker could exploit this vulnerability by sending a specially crafted file to the user and convincing the user to open the file," Microsoft said in an advisory published last month. said .
"In a web-based attack scenario, an attacker could host a website containing a specially crafted file designed to exploit the vulnerability (or exploit a compromised website that accepts or hosts user-provided content."
In other words, the attacker must persuade users to click on a link embedded in a phishing email or sent via instant message, and then trick them into opening the file in question.
CVE-2023-35636 relies on calendar sharing functionality in the Outlook email application; Here, a malicious email message is created by sequentially appending two headers, "Content-Class" and "x-sharing-config-url", along with crafted values. To reveal the victim's NTLM hash during authentication.
Varonis security researcher Dolev Taler, who discovered and reported the bug, said NTLM hashes can be leaked using Windows Performance Analyzer (WPA) and Windows File Explorer. However, these two attack methods remain unpatched.
"What makes this interesting is that WPA attempts to authenticate over the open web using NTLM v2," Taler said.
Typically, NTLM v2 should be used when authenticating against internal IP address-based services. However, when the NTLM v2 hash passes over the open internet, it is vulnerable to relaying and offline brute force attacks."
The revelation comes as Check Point uncovered a case of "forced authentication" that could be used as a weapon to exfiltrate a Windows user's NTLM tokens by tricking a victim into opening a fraudulent Microsoft Access file.
Microsoft announced in October 2023 that it plans to discontinue NTLM in Windows 11 in favor of Kerberos for enhanced security due to it not supporting encryption methods and being susceptible to relay attacks.
Please make sure that links are safe before clicking on them, even from those you trust most. Stay safe.