Microsoft has issued an alert on the OneNote spoofing vulnerability, patched previously. According to the latest update from Microsoft, the possibility of exploitation still exists.
The Microsoft OneNote Spoofing Vulnerability, coded CVE-2023-33140, potentially exposes users to the risk of spoofing attacks.
“The vulnerability exists due to incorrect processing of user-supplied data in Microsoft OneNote. A remote attacker can trick a victim to open a specially crafted file and spoof page content,” noted an advisory by Cybersecurity Help.
This vulnerability’s patch was issued in the Patch Tuesday update for the month of June.
The present update Microsoft has confirmed that the vulnerability is still prevalent and provided details regarding its impact and potential risks.
Microsoft OneNote spoofing vulnerability: Tackled, yet active
According to the information released by Microsoft, the vulnerability was initially disclosed on June 13, 2023, and they have been working diligently to address the issue.
“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL to be compromised by the attacker,” said the update.
As of the latest update on August 1, 2023, the security flaw remains unexploited, making the chances of exploitation less likely. Despite this, users are urged to remain vigilant and take necessary precautions.
The impact of the vulnerability is classified as “Spoofing,” indicating that it can potentially lead to unauthorized access to sensitive information or services.
The maximum severity level of this vulnerability is classified as “Important,” signifying the potential risks associated with its exploitation.
This OneNote spoofing vulnerability allows threat actors to use maliciously crafted OneNote documents to perform remote code execution, but it necessitates a user to click on a link in the malicious file or email, noted an advisory issued by vulnerability management business Vulnera.
“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL to be compromised by the attacker,” confirmed a report by Rootshell Security’s RedForce Team, which identified and reported the issue to Microsoft.
This is the latest instance of how threat actors could use a OneNote spoofing vulnerability for attack.
Trustwave SpiderLabs issued a warning in December 2022 about malicious spam emails containing OneNote attachments.
The malspam emails cleverly impersonate DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents to deceive recipients.
OneNote’s unique feature of allowing users to insert attachments into a NoteBook that launch upon double-clicking has been exploited by threat actors.
They have been attaching malicious Visual Basic Script (VBS) files that automatically execute upon opening, leading to the download and installation of malware from remote servers.
To hide the VBS attachments, attackers overlay a conspicuous ‘Double click to view file’ bar over them.
Upon clicking the bar, users unknowingly activate the malware. Though OneNote does provide security warnings when launching attachments, users often overlook these alerts, inadvertently granting malware execution permissions.
Upon analysis, researchers found the OneNote attachments delivering remote access trojans (RATs), including AsyncRAT and XWorm.
The presence of RATs grants attackers unauthorized access to victims’ systems, allowing them to steal sensitive data, including passwords and cryptocurrency wallets.
How to counter the OneNote spoofing vulnerability threat
According to the Common Vulnerability Scoring System (CVSS) metrics, successful exploitation of this vulnerability could result in a major loss of confidentiality (C:H).
“Successful exploitation of this vulnerability enables an attacker to obtain a victim’s NetNTLMv2 hashes thus impact to Confidentiality is High,” said the Microsoft update.
“Integrity and Availability are not impacted because the hashes do not directly enable an attacker to modify data or impact the victim’s application or server runtime.”
The obtained hashes, while posing a significant threat to confidentiality, do not allow the attacker to modify data or affect the victim’s application or server runtime.
Microsoft has revealed that user interaction is required for the OneNote spoofing vulnerability to be exploited, meaning that a specific action by the user is necessary.
Specifically, the user must open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL provided by the attacker.
Users are advised to exercise caution when handling files or links from unknown or untrusted sources, and update their software to the latest version as soon as the patch becomes available.
Additionally, users should exercise caution when handling files and links, especially those received from untrusted sources, to mitigate the risk of falling victim to potential spoofing attacks.
