Microsoft fixed a new vulnerability this week that could be used to bypass defenses the company put in place in March for a critical vulnerability in Outlook that Russian cyberspies exploited in the wild. That vulnerability allowed attackers to steal NTLM hashes by simply sending specifically crafted emails to Outlook users. The exploit requires no user interaction.
The new vulnerability, patched Tuesday and tracked as CVE-2023-29324, is in the Windows MSHTML Platform and can be used to trick a security check used as part of the March Outlook vulnerability patch to think that a path on the internet is a local one, therefore evading trust zone checks. Microsoft rated the new vulnerability with 6.5 out of 10 (medium) severity score, but the security team from Akamai who found the vulnerability think it should have been rated higher.