Attackers reverse Outlook vulnerability CVE-2017-11774 patch functionality

Researchers at FireEye have spotted an uptick in active exploits of CVE-2017-11774, an Outlook security feature bypass vulnerability. Attackers are also actively reversing Outlook vulnerability patch functionality. To help protect against such exploits, FireEye has provided Outlook hardening guidelines.

Microsoft first patched the Outlook vulnerability CVE-2017-11774 on October 10, 2017.

In mid-2018, however, FireEye spotted Iranian threat actors APT33 and APT34 were abusing a specific Outlook home page exploitation technique.

“We have observed multiple threat actors adopting the technique and eventually becoming a favorite for Iranian groups in support of both espionage and reportedly destructive attacks,” FireEye warned in a blog post.

In these types of client-side attacks, actors can modify the victim’s Outlook client homepages for code execution and persistence. Users and unfortunately the bad guys can also use the Outlook Home Page feature to customize the default view of any folder in Outlook. To add, a specific (or malicious) URL can be loaded and displayed whenever a folder is opened.

In December of 2018, FireEye warned the patch could be rolled back to remove the patch functionality.

By mid-2019, the company also raised awareness of how APT33 and other threat actors could override the CVE-2017-11774 patch without escalated privileges.

For example, an attacker can add or undo registry key settings that effectively disable the CVE-2017-11774 patch protections. FireEye has provided multiple reg key examples of how bad actors can exploit even without elevated privileges.

Readers may also remember that APT33 threat actors also used a dozen botnets in a targeted malware campaign as recently as November 2019.

Outlook hardening recommendations

To help mitigate such attacks, FireEye has provided some recommended registry settings for CVE-2017-11774 hardening in the same blog post. These settings will help with “continuous reinforcement” in case an attacker tries to update or undo registry settings.

FireEye has provided multiple Group Policy Object (GPO) settings that organizations can deploy to better harden Outlook configurations.

In one example, FireEye recommends protection against an attacker using Outlook’s WebView functionality to configure home page persistence. The following registry key configuration should be enabled and enforced:

“Disable”= dword:00000001

In another example, organizations can also use GPOs to disable an Outlook home page URL from being set in folder properties for all default folders. Multiple other GPO hardening recommendations are also available in the blog post.

Finally, FireEye recommends that organizations thoroughly test any GPOs or configuration changes to help minimize potential negative user or endpoint impact.