Published: June 03, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
A recent report by cybersecurity researchers has disclosed a security flaw in the Windows MSHTML platform that can be exploited to circumvent integrity protections on targeted machines. This vulnerability noted as CVE-2023-29324, has been classified as a "security feature bypass" and was addressed by Microsoft as part of its Patch Tuesday updates for May 2023.
The bug was initially discovered and reported by an Akamai security researcher, who revealed that all Windows versions are affected. However, the researcher also noted that Microsoft Exchange servers with the March update do not include the vulnerable feature.
Exploiting the vulnerability, an unauthenticated attacker on the internet could manipulate an Outlook client to connect to a server controlled by the attacker. This is a zero-click vulnerability. You may have heard of a “zero-day” vulnerability, which means there is an issue that hasn’t been fixed and therefore allows the potential for exploitation. In this case, it’s not necessarily a zero-day issue, but zero-click means it requires no user action to be triggered.
It is worth noting that this issue is a bypass for a fix Microsoft released in March to resolve a separate flaw (CVE-2023-23397) in Outlook, which had been exploited by Russian threat actors targeting European nations for over a year.
Fortunately, there is something you can do. Microsoft has recommended installing Internet Explorer Cumulative updates to mitigate this issue. So, there is no need to panic.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com