Researcher Details Microsoft Outlook Zero-Click Vulnerability (CVE-2024-38021) - #CVE-2024-38021
Researchers at Morphisec have identified a critical remote code execution (RCE) vulnerability in Microsoft Outlook, labeled CVE-2024-38021, which can be exploited without any user interaction. This vulnerability is particularly severe as it does not require user authentication and has the potential for widespread impact, prompting calls for it to be reclassified from 'Important' to 'Critical'. This flaw, stemming from the unsafe parsing of composite monikers in image tags, allows arbitrary code execution and NTLM credential leakage. Although Microsoft has issued patches addressing this and other vulnerabilities, the initial fixes did not cover all scenarios, necessitating further updates. Morphisec underscores the need for prompt patching, robust email security measures, and user education to mitigate such risks. Details and proof of concept for this vulnerability will be presented at DEF CON 32, highlighting the ongoing challenges in securing widely used software like Microsoft Outlook.