Are You Sending Your Password Hash When Invite Clicked?

SCMagazine has the story ” Accepting Calendar Invite Could Leak Your Password

Several steps and the hacker has to create the right environment, but if they can make you click on a calendar invite with the right circumstances your password “hash” will be transferred to the hacker. A hash are a number of characters that hide the true password cryptographic  method. Each software uses a different technology with this hash.

Outlook and Microsoft password hashes may not be cracked until one uses many tools available on the internet to find your password in Outlook.

This website  post explained the details a bit more: Varonis

“Varonis Threat Labs discovered a new Outlook vulnerability (CVE-2023-35636) among three new ways to access NTLM v2 hashed passwords by exploiting Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer. With access to these passwords, attackers can attempt an offline brute-force attack or an authentication relay attack to compromise an account and gain access.”

 

Once the hacker has your passwords they can use that to attack with different methods into your environment. So deploying this patch is a must where even a complex password could be cracked (it will just take more time for the hacker to find it).   The longer your password the more time it would take for a brute-force password attack, but if a hacker is ingenious and uses cloud resources which have almost unlimited processing power, the likelihood of being cracked is more likely not less.

So patch your Microsoft environments…  good links to get started:

https://www.cve.org/CVERecord?id=CVE-2023-35636

Here is a Microsoft link to update Outlook:

https://learn.microsoft.com/en-us/officeupdates/outlook-updates-msi

 

Interesting to note that this issue is a festering issue not from December 2023, but earlier(Match) as 0patch Blog talks about.

Update 12/20/2023: Unsurprisingly, a new bypass (assigned CVE-2023-35384) was discovered for the fix of the first bypass for the original fix. Again, it was found by Ben Barnea. Our original patch blocks both the first bypass and this one, because it completely disables sender-chosen notification sounds. We did issue a patch for Outlook 2013 now as we have security-adopted this Office version after it went out of support.

This is why I have left Microsoft Outlook – since even the classification of this vulnerability as an information disclosure is a bit rich for me. Only at 6.5 CVSS score.

I use other software now like Thunderbird – or other on my phone. The likelihood that this issue will lead to other problems is high…

Check out my book to see some of my philosophies of Cybersecurity.

  This is the second book

Check this out  or this at fixvirus.com to review a little what is in the book.

 

Adding some info: what if you want to actually look at the hash password?

https://ntlm.pw/   is a website that will change a hash to the password that is translated:

Hash:
0ea0e4bb502bd4acaf6997d7c26b54d1
Password in hash
never