Microsoft just patched a zero-click remote code execution (RCE) vulnerability in Microsoft Outlook. Zero Click exploits are troubling because they don’t require any action from the target; like clicking links, visiting websites, or downloading files. This is troubling because security always harps “don’t click links in emails”. Now Don’t open emails?
Morphsec who discovered and disclosed the vulnerability to Microsoft and Microsoft who patched it didn’t give much details. So let's fill in some of the blanks.
Requirements for a Zero Click Exploit
First Zero Click exploits require 2 things. The first is a public facing interface that's listening; think text messages, email, Voice over IP, software functionality that regularly receives requests (put, post, etc) and/or other data, etc. The 2nd requirement is some automatic processing functionality.
The vulnerability CVE-2024-30103, allows attackers to remotely execute arbitrary code by sending a maliciously crafted email. When the recipient opens the email, the exploit is triggered. OK, technically this wasn’t a zero click exploit because it requires the target to open the email, but close enough.
How this Zero Click Exploit Works
Microsoft listed Common Weakness Enumeration (CWE-184) - Incomplete List of Disallowed Inputs. Basically as a security design, Microsoft Outlook has a list of things that it’ll allow to process and things that it won’t allow to process, or at the minimum will take some sort of neutralizing action before processing. An example would be disallowing certain scripts, file paths, command line characters, SQL keywords, etc.
Emails have gotten a lot more complex with all the marketing widgets like picture, video, and other display functionality. So what likely happened is some malicious code that didn’t fit the disallowed input list could be embedded on an email, likely in a picture, GIF, or marketing functionality, and then when the email is opened the content is automatically processed thus executing the code. We've seen NSO Group embed zero click exploits in GIFs which are automatically processed, installing Pegasus Spyware.
In the past Disallowed inputs have been circumvented from something as simple as a script being in all caps, and only lowercase scripts are listed in the disallow list. Although that's a really over simplified example but you get the point.