If you need another reason to apply the December 2023 Patch Tuesday cumulative update – here’s one: it fixes a flaw in Microsoft Outlook that, if abused, could allow hackers to exfiltrate hashed passwords from the computer.
Cybersecurity researchers from Varonis recently discovered, and reported, on a bug found in the calendar sharing function in Outlook which could allow a threat actor to create a custom file and send it to the victim via an email invite.
“By “listening” to a self-controlled path (domain, IP, folder path, UNC, etc.), the threat actor can obtain connection attempts packets that contain the hash used to attempt to access this resource,” the researchers explain.
Hiding the payment
They added that hackers can use many tools to perform this listening, including the Responder.py tool, which they describe as “the go-to tool for every SMB and NTLM hash attack”.
The bug, tracked as CVE-2023-35636, carries a severity score of 6.5.
Besides sending a malicious file via email, the attackers can also engage in web-borne attacks, Microsoft further added:
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.” In this example, the victim would have to be convinced to open a link, which isn’t that uncommon with phishing and spear-phishing attacks. Hackers could distribute the link in an email and trick the victims into opening it.
While Microsoft fixed the bug in its December 2023 Patch Tuesday update, the researchers claim that there are other methods to exploit the flaw which are yet to be addressed. That can allegedly be done via Windows Performance Analyzer (WPA) and the Windows File Explorer.
“What makes this interesting is that WPA attempts to authenticate using NTLM v2 over the open web,” the report stated. “Usually, NTLM v2 should be used when attempting to authenticate against internal IP-address-based services. However, when the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline brute-force attacks.”
Via The Hacker News
More from TechRadar Pro