Tracked as CVE-2023-29324 the new vulnerability is in the MSHTML platform. A patch for this flaw was just released as part of the May 2023 Patch Tuesday. MSHTML is the basis for most of the functions and features in Windows and is present in every version of the operating system. MSHTML is used in file explorer and its shell, it is also leveraged by different office applications like Outlook. A version of MSHTML is used for Microsoft Edge (EdgeHTML). It was MSHTML that was abused by Trickbot and Bazarloader. This component can be leveraged for several things from calling PowerShell, to launching Java and Python scripts. It is a fantastic “feature” for security teams to try and keep under control.
The new vulnerability targets a Windows API function (MapURLToZone). It abuses this function to make a malicious URL appear to be a local one and able to bypass URL trust zone restrictions. If properly exploited the flaw can allow an Outlook client to connect to a malicious server to facilitate NTLM credential theft. It can do this without the user doing anything. This bypass allows the original flaw to function just as intended. You can get Outlook to trigger a fake calendar event or parse an email which then gets it to connect to your newly masked URL and includes an NTLM authentication process on the remote server according to Akami researchers.
I have always said that Windows and Microsoft Office are exceptionally helpful. If you ask them to do something they want to do it for you. There are multiple subsystems to make things easy for the user, because of these UX functions and subsystems Windows is vulnerable. Microsoft Office even more so as it deals with productivity and the need to parse and work with multiple types of input and data sources. When a good and exploitable flaw is found, attackers know about it and want to keep it. They will not just stop because there is a patch for a particular vector. Once a patch is applied for a systemic flaw, like the ones found in MSHTML, they are either going to find another way to abuse it, or dive into the fix and find a way around it. This is the case here. This is not truly a new flaw; it is a bypass around a patch to get to the old flaw that was so easy to abuse.
If you have not run your May patches, do so as soon as possible. Attackers know that this bypass has a patch available, so they also know their exploitation window is going to close soon. This typically means that attacks leveraging this will increase to get the most out of the time they have with it.
Happy patching