Open or Not, You’re Vulnerable: Email Flaw Hijacks PCs Without a Click
A new vulnerability has been found in the Windows MSHTML platform. The vulnerability, identified as CVE-2023-35628, carries a CVSS score of 8.1, indicating a high level of danger. This flaw does not just threaten; it pounces from the most unsuspecting of places – an email.
Traditionally, email vulnerabilities are often linked to the Preview Pane in email clients, where merely previewing a malicious email could trigger an exploit. However, CVE-2023-35628 defies this norm. The vulnerability is exploited when Microsoft Outlook retrieves and processes the email, which occurs even before the email reaches the Preview Pane. This insidious nature of the vulnerability leaves users unaware of the lurking danger, as the exploitation can occur without any interaction from the victim.
CVE-2023-35628 allows a remote, unauthenticated attacker to execute arbitrary code on the victim’s system. The exploit can be initiated simply by sending a specially crafted email. Ransomware gangs and other malicious entities are likely to find this vulnerability an attractive target, potentially developing a reliable method for its exploitation.
The vulnerability can be exploited in multiple ways. An attacker could send a malicious link via email or entice the user to click on a link through an email or Instant Messenger message. The most alarming scenario involves the attacker sending a specially crafted email that automatically triggers the exploit without any required action from the victim. Microsoft has highlighted this as the higher risk scenario, emphasizing the critical nature of this vulnerability.
Interestingly, the exploit code maturity for CVE-2023-35628 is currently unproven. This suggests that, as of now, there might not be a reliable method for exploiting this vulnerability in the wild. However, the complexity of the required memory-shaping techniques to exploit this vulnerability may pose a significant barrier. Despite this, the high impact and potential for remote code execution make CVE-2023-35628 a critical issue for all Windows users.
Microsoft patched this flaw in its December 2023 Patch Tuesday, the user is recommended to update your system.
