cR0w@cR0w@infosec.exchange
Nine sev:CRIT RCEs though.
cR0w@cR0w@infosec.exchange
One of them lists the preview pane as an attack vector. Those are always fun.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53731
cR0w@cR0w@infosec.exchange
cR0w@cR0w@infosec.exchange
cR0w@cR0w@infosec.exchange
JK, there are more than the one sev:CRIT RCE that impact the preview pane.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53733
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53740
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53784
K. Reid Wightman :verified: 🌻
:donor: :clippy:@reverseics@infosec.exchange
@cR0w@infosec.exchange AV:L because....technically correct?
cR0w@cR0w@infosec.exchange
@reverseics@infosec.exchange Everything is local once it gets to your workstation, right?
cR0w@cR0w@infosec.exchange
@reverseics@infosec.exchange Everything is local once it gets to your workstation, right?
K. Reid Wightman :verified: 🌻 :donor: :clippy:@reverseics@infosec.exchange
@cR0w@infosec.exchange I am actually super duper confused: AV:L and UI:N and PR:N. That is theoretically an impossible combination.
K. Reid Wightman :verified: 🌻 :donor: :clippy:@reverseics@infosec.exchange
@cR0w@infosec.exchange I am actually super duper confused: AV:L and UI:N and PR:N. That is theoretically an impossible combination.
cR0w@cR0w@infosec.exchange
@reverseics@infosec.exchange I guess their thought is that a user leaves Outlook open and is sent a malicious email and it automatically pops up in the preview pane, they didn't have to interact with it and the attacker didn't need privs to send the email. Just guessing at the logic there.
K. Reid Wightman :verified: 🌻 :donor: :clippy:@reverseics@infosec.exchange
@cR0w@infosec.exchange You need local access, but no privileges, nor does the user have to click anything.
So if you have code execution on the system, you get code execution on the system I guess. QED.
K. Reid Wightman :verified: 🌻 :donor: :clippy:@reverseics@infosec.exchange
@cR0w@infosec.exchange Yeah. I seem to remember some supernerd friends having this argument about email a long time ago. Whether it's considered AV:N and UI:R or not.
I say 'yes' to both because the CVSS specification says that UI includes a "user-initiated process".
By default, Outlook does not start on a computer until the user at minimum logs in to the computer (usually they have to start Outlook manually to boot), which initiate the process.
Reading the CVSS spec is hard though, let's go shopping.
cR0w@cR0w@infosec.exchange
@reverseics@infosec.exchange I agree with your take. Luckily, the nuance is handled by analysts who are capable of thinking and not by just the scores, right?
Oh.
K. Reid Wightman :verified: 🌻 :donor: :clippy:@reverseics@infosec.exchange
@cR0w@infosec.exchange You could actually argue this is: AV:N/AC:H/UI:R, high attack complexity because the default configuration of Outlook has no accounts attached and thus does not actually check any email from any server; triggering the vulnerability therefore requires a nonstandard configuration.
CVSS pedantry? In this economy?