[German]With the security updates of June 11, 2024, Microsoft has also closed a critical vulnerability in Microsoft Outlook. The vulnerability CVE-2024-30103 allows remote code execution when opening an email. Patching is strongly recommended.
Security update for Outlook
In the blog post Office Updates (June 4, 2024), I pointed out the security updates for the June 2024 Patchday. The security update KB5002600 is available for Outlook 2016, MSI version, to close the RCE vulnerability CVE-2024-30103 (CVE score 8.8, important). The attacker can exploit the vulnerability to execute remote code on the system simply by displaying malicious content in the Outlook preview.
However, the attacker must be authenticated with valid Exchange user credentials. According to Microsoft, an attacker who successfully exploits this vulnerability could bypass the Outlook registry block lists and enable the creation of malicious DLL files. However, Microsoft classifies this vulnerability as "rather unlikely to be exploited".
More details from Morphisec
The security researchers at Morphisec discovered the vulnerability and published more details about CVE-2024-3010 on June 11, 2024 in the blog post You've Got Mail: Critical Microsoft Outlook Vulnerability Executes as Email is Opened. The vulnerability CVE-2024-30103 affects most Microsoft Outlook clients and allows remote code execution, i.e. attackers could execute arbitrary code on the affected systems. This can lead to possible data breaches, unauthorized access and other malicious activities, the security researchers write.
Interestingly, Morphisec comes to a completely different conclusion regarding exploitability, writing that "the CVE-2024-30103 vulnerability is of particular concern due to the high likelihood of exploitation". It is a zero-click vulnerability where the user does not have to interact with the content of a malicious email. It is sufficient to view the preview, which makes it extremely easy to execute malicious code.
Microsoft may classify the vulnerability as "not likely to be exploitable" because authentication with valid Exchange user credentials is required for the attack. Morphisec probably found the vulnerability by fuzzing and reverse engineering the Outlook code and reported it to Microsoft on April 3, 2024. On April 16, 2024, the vulnerability was confirmed by Microsoft and closed with the Office security updates on June 11, 2024. (via)
Similar articles:
Office Updates (June 4, 2024)
Microsoft Security Update Summary (June 11, 2024)
Patchday: Windows 10/Server-Updates (June 11, 2024)
Patchday: Windows 11/Server 2022-Updates (June 11, 2024)
Windows Server 2012 / R2 und Windows 7 (June 11, 2024)
Microsoft Office Updates (June 11, 2024)