Moniker Link bug: A crticial vulnerability hacking outlook

Written By: Anthony Reyes

Updated: 02/14/2024

According to recent security research conducted by Check Point, an incredibly impactful security flaw has been discovered in Microsoft Outlook, referred to as the #MonikerLink bug. This bug takes advantage of the method in which Outlook handles specific hyperlinks, enabling malicious actors to execute unauthorized code on the targeted user’s computer. Microsoft acknowledged and disclosed this exploit, known as CVE-2024-21413, on February 13, 2024, categorizing it as a critical vulnerability with a CVSS score of 9.8.

What is CVSS and how does it effect me?

A critical vulnerability with a Common Vulnerability Scoring System (CVSS) score of 9.8 is considered to be of severe impact. The CVSS is a standardized framework for rating the severity of security vulnerabilities in software. Scores are calculated based on various factors including the complexity of the exploit, the level of privileges required, the extent of user interaction needed for exploitation, the impact on confidentiality, integrity, and availability, among others. Scores range from 0 to 10, with 10 being the most severe.

A score of 9.8 falls within the “critical” severity range, which is typically between 9.0 to 10.0. This indicates that the vulnerability is highly exploitable, potentially allowing an attacker to compromise the affected system with little to no prior access or user interaction. The exploitation of such vulnerabilities could lead to a wide range of impacts, including but not limited to:

  • Complete System Compromise: The attacker might gain full control over the affected system, allowing for the execution of arbitrary code, data theft, installation of malware, and more.
  • Denial of Service (DoS): Availability of the systems or services could be compromised, preventing legitimate users like employees or customers from accessing them.
  • Data Breach : Hackers could gain access to data on the affected system, or in this case, compromise cloud data stored in Microsoft’s SharePoint or OneDrive. This attack method would also allow criminals to leverage other methods like session stealing which bypasses MFA to gain full control over the Microsoft 365 account.

Due to the severity of such vulnerabilities, it is crucial for organizations and individuals to prioritize patches and mitigations provided by software vendors to protect against potential attacks. Regular security assessments, staying informed about vulnerability disclosures, and adopting a proactive cybersecurity posture are key strategies to mitigate the risks associated with critical vulnerabilities.

Ikigai One’s cybersecurity and managed IT clients have been protected from this attack since it was first discovered in October of 2023. 

How do I protect my business if I’m not a client of Ikigai One?

According to the CVE disclosure report Microsoft has as of February 13, 2024 issued a patch in the form of an update to the Outlook desktop client for Windows and Mac. It is imperative that you ensure all systems are up to date. Failure to update ALL systems in your business can leave you open to compromise.

Since this attack method is not stopped by Outlook or Microsoft’s spam and phishing prevention and the low skill exploit is now public knowledge, it is critical that your organization be constantly vigilant and remains aggressive in your IT patching.

How does #MonikerLink bug work?

When the user clicks on the malicious hyperlink designed to exploit the #MonikerLink bug, it initiates a connection using the SMB protocol to a remote server controlled by the attacker. This process can transmit the user’s NTLM credentials to the attacker’s server, thereby compromising authentication details.

Furthermore, it can enable the execution of arbitrary code by leveraging the Component Object Model (COM) in Windows.

The full technical write-up can be found on Check Point Research. 

Here’s the takeaway: Not only did our vast network of threat intelligence and threat researchers discover and report this exploit to Microsoft, but our clients have been protected from it for months

Demand more from your cybersecurity vendors

We are dedicated to simple, sane, and effective holistic cybersecurity, are you? If you want your business to be protected, want to stop worrying about these exploits catching you unaware for MONTHS with no public disclosures or patches, and want to do so without costing your company a fortune: give one of our cybersecurity experts a call at 202-449-8665; we believe that good security is a right, not a privilege so we’ve made a proverbial horde of information available to you at no cost so that you can start securing your business, your future, at little to no cost today, not tomorrow. Start taking your cybersecurity seriously today.