CVE-2024-21378
📋 TL;DR
This vulnerability allows remote code execution through Microsoft Outlook when processing specially crafted email messages. Attackers could execute arbitrary code on the target system with the privileges of the current user. All users running vulnerable versions of Microsoft Outlook are affected.
💻 Affected Systems
- Microsoft Outlook
📦 What is this software?
365 Apps by Microsoft
Office by Microsoft
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
Outlook by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to install programs, view/change/delete data, or create new accounts with full user rights.
Likely Case
Data theft, credential harvesting, lateral movement within the network, and installation of malware or ransomware.
If Mitigated
Limited impact due to proper email filtering, endpoint protection, and user privilege restrictions.
🎯 Exploit Status
Typically requires user interaction (opening/processing email) but could be chained with other vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific version
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21378
Restart Required: Yes
Instructions:
1. Open Windows Update settings. 2. Check for updates. 3. Install all security updates. 4. Restart computer if prompted.
🔧 Temporary Workarounds
Disable preview pane
windowsPrevents automatic processing of malicious emails in preview pane
File > Options > Trust Center > Trust Center Settings > Reading Pane > Uncheck 'Show reading pane'
Block external HTML content
windowsPrevents automatic loading of external content that could be malicious
File > Options > Trust Center > Trust Center Settings > Automatic Download > Uncheck 'Don't download pictures automatically in HTML email messages or RSS items'
🧯 If You Can't Patch
- Implement strict email filtering to block suspicious attachments and links
- Use application whitelisting to prevent unauthorized executables from running
🔍 How to Verify
Check if Vulnerable:
Check Outlook version against Microsoft's security advisory for affected versionsCheck Version:
In Outlook: File > Office Account > About OutlookVerify Fix Applied:
Verify Outlook version matches or exceeds patched version in Microsoft advisory📡 Detection & Monitoring
Log Indicators:
- Unusual Outlook crashes
- Suspicious child processes spawned from Outlook.exe
- Unexpected network connections from Outlook
Network Indicators:
- Unusual SMTP traffic patterns
- Suspicious email attachments with unusual file types
- Beaconing to external IPs after email receipt
SIEM Query:
Process Creation where ParentImage contains 'OUTLOOK.EXE' and CommandLine contains suspicious patterns