cR0wOne of them lists the preview pane as an attack vector. Those are always fun.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53731
K. Reid Wightman :verified: 🌻
:donor: :clippy:@cR0w@infosec.exchange AV:L because....technically correct?
cR0w@reverseics@infosec.exchange Everything is local once it gets to your workstation, right?
K. Reid Wightman :verified: 🌻 :donor: :clippy:@cR0w@infosec.exchange I am actually super duper confused: AV:L and UI:N and PR:N. That is theoretically an impossible combination.
cR0w@reverseics@infosec.exchange I guess their thought is that a user leaves Outlook open and is sent a malicious email and it automatically pops up in the preview pane, they didn't have to interact with it and the attacker didn't need privs to send the email. Just guessing at the logic there.
K. Reid Wightman :verified: 🌻 :donor: :clippy:@cR0w@infosec.exchange You need local access, but no privileges, nor does the user have to click anything.
So if you have code execution on the system, you get code execution on the system I guess. QED.