NetSPI discovered that Microsoft Outlook is vulnerable to authenticated remote code execution (CVE-2024-21378) due to improper validation of synchronized form objects.  By manipulating a configuration file, attackers can automatically register and instantiate a custom form, specifying a malicious executable as the form server, which bypasses Outlook‘s faulty allow-listing mechanism, enabling remote code execution on the target system.  The allow-listing mechanism examines the form server registry key property to prevent the unauthorized automatic execution of synchronized COM form server executables.  Despite this safeguard, Microsoft documentation acknowledges the possibility of using relative registry paths for form server executable instantiation, which is bypassed by a faulty matching algorithm within the allow-listing validation process, allowing unauthorized execution through relative registry paths.  bypassing a built-in faulty allow-listing security mechanism They identified a dual failure in the allow-listing validation algorithm when processing relative paths. Firstly, the algorithm erroneously employs exact matching instead of substring detection for forbidden registry key values, leading to false negatives.  Secondly, a divergent control flow within the instantiation process unexpectedly handles relative registry paths, bypassing validation and enabling automatic registration and execution of the form server executable.  Microsoft’s patch addressed the vulnerability by preventing the second stage of the attack and blocking the mechanism that allowed registering relative registry paths, effectively disrupting the intended attack flow.

Source: GBHackers