"Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File"

Researchers have detailed two security flaws in Microsoft Outlook that, when exploited together, enable attackers to execute arbitrary code on impacted systems without requiring user interaction. They can both be triggered using a sound file. One of the flaws, tracked as CVE-2023-35384, is the second patch bypass discovered by Akamai researchers for a critical privilege escalation vulnerability in Outlook that Microsoft first patched in March. The second flaw disclosed by Akamai, tracked as CVE-2023-36710, is a Remote Code Execution (RCE) vulnerability in a Windows Media Foundation feature related to how Windows parses sound files. According to Akamai, an attacker can chain the vulnerabilities to create a full, zero-click RCE exploit against Outlook clients. This article continues to discuss the vulnerabilities that attackers can chain together to gain full RCE.

Dark Reading reports "Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File"

Submitted by grigby1