Microsoft Outlook faces a critical vulnerability (CVE-2023-35636) allowing attackers to exploit the calendar sharing function, accessing NTLM v2 hashed passwords. Threat actors can trick users into opening a specially crafted file through email or a compromised website. Microsoft has swiftly responded by releasing Patch Tuesday security updates for December 2023, urgently advising users to apply the patches to mitigate the risk. Discovered by Dolev Taler with Varonis, the flaw exposes passwords, enabling attackers to conduct offline brute-force or authentication relay attacks to compromise accounts.
The vulnerability stems from Outlook’s calendar sharing function, wherein a specially crafted message with added headers can be used to intercept an NTLM v2 hash. Microsoft acknowledges that an attacker could exploit the flaw by sending the crafted file via email or hosting it on a malicious website. The security patches released address the Outlook vulnerability but do not cover potential exploitation in Windows Performance Analyzer (WPA) and Windows File Explorer, both discovered by Varonis Threat Labs. Varonis recommends protective measures, including using the SMB signing feature and blocking outgoing NTLM v2, emphasizing the urgency of patching to safeguard organizations against potential attacks.
Security researcher Dolev Taler points out that exploiting this vulnerability also extends to Windows Performance Analyzer (WPA) and Windows File Explorer. While the security patches focus on Outlook, Varonis advises additional protective measures, such as enabling SMB signing and blocking outgoing NTLM v2 authentication, emphasizing the importance of actively implementing security measures across network and application levels to defend against potential NTLM v2 attacks. Microsoft’s prompt release of patches underscores the seriousness of the threat, urging users to take immediate action to secure their systems and protect against the exposure of sensitive passwords.
