- Buy a Samsung Galaxy S24 FE and get a $100 Amazon gift card for October Prime Day
- Meta's new 512GB Quest 3 deal may be the best October Prime Day VR deal right now
- Best Prime Day Nintendo deals to shop in October 2024
- Save 55% on this Radeon RX 7800 XT graphics card at Walmart
- Get the AirPods Pro 2 for $60 off ahead of October Prime Day
Microsoft Outlook Faced Critical Zero-Click RCE Vulnerability
Security researchers have uncovered a critical vulnerability, CVE-2024-38021, affecting most Microsoft Outlook applications.
This zero-click remote code execution (RCE) vulnerability, now patched by Microsoft, did not require any authentication, setting it apart from the previously discovered CVE-2024-30103, which required at least an NTLM token.
If exploited, CVE-2024-38021 could lead to data breaches, unauthorized access and other malicious activities. Microsoft has rated this vulnerability as “Important” and noted a distinction between trusted and untrusted senders.
For trusted senders, the vulnerability is zero-click, but it requires one-click user interaction for untrusted senders.
Morphisec, who discovered the flaw and published an advisory about it on July 9, has urged Microsoft to reclassify the vulnerability as “Critical” to reflect the higher estimated risk and ensure adequate mitigation efforts.
The security firm agreed with Microsoft that this RCE is more complex than CVE-2024-30103, making immediate exploitation less likely. However, combining it with another vulnerability could simplify attacks.
The timeline of events began on April 21, 2024, when Morphisec reported the vulnerability to Microsoft. It was confirmed on April 26, 2024, and patched by Microsoft on July 9, 2024, as part of its Patch Tuesday updates.
To mitigate the risk, it is crucial to update all Microsoft Outlook and Office applications with the latest patches. Additionally, implementing robust email security measures, such as disabling automatic email previews and educating users about the risks of opening emails from unknown sources, is essential.
Read more about phishing: Report Reveals 341% Rise in Advanced Phishing Attacks
Additionally, Morphisec said that ensuring comprehensive coverage across the security stack with EDR and Automated Moving Target Defense (AMTD) will further reduce risks and provide endpoint assurance against known and unknown attacks.
Image credit: BigTunaOnline / shutterstock.com