Ben Barnea – a security researcher working for Akamai has discovered a novel way of being able to compromise a Microsoft system via a malicious .wav file used by Outlook.
Two vulnerabilities were discovered – one is a Windows HTML security feature bypass vulnerability (tracked as CVE-2023-35384). This allows an attacker to craft a malicious file or send a malicious URL that would evade Security Zone tagging, resulting in a loss of integrity and availability of security features utilised by the device browsers, and some custom applications (including Outlook).
The second vulnerability is being tracked as CVE-2023-36710 and is a Windows Media Foundation Core Remote Code Execution vulnerability.
As part of the process of playing a WAV (Waveform Audio File), the researcher found it was possible to cause two out-of-bounds writes for WAV files with a certain size. An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions.
For the system to be compromised, the two vulnerabilities are chained together. An attacker sends an affected Outlook client an email reminder with a custom notification sound. By using the first vulnerability the client would retrieve the sound file from a SMB server hosted on the Internet.
When the custom sound file is auto-played by Outlook code execution can be achieved, leading to te compromise of the victim’s machine without any human interaction (A.K.A. zero-click access).
Both vulnerabilities were responsibly disclosed to Microsoft and addressed in the August and October 2023 patch Tuesdays, so these attacks can only compromise unpatched devices.
