Vigyata.AI
Is this your channel?

DEF CON 33 - The Ghost of Internet Explorer in Windows - George Hughey, Rohit Mothe

2.5K views· 63 likes· 44:17· Oct 10, 2025

In 2023, Microsoft detected a nation state actor (Forest Blizzard/STRONTIUM) exploiting a "zero-click" remote code execution vulnerability in Outlook by sending a malicious email. Microsoft fixed this in part by adding a call to the MapUrlToZone API, which determines where a path is located so callers can make a trust decision. Critical components like Outlook, Office, Windows Shell and sandboxes rely on MapUrlToZone to make intelligent security decisions, but little research has historically focused on MapUrlToZone itself. Microsoft Security Response Center has a unique role in analyzing systemic trends in areas like this and drive deep technical research to remediate security issues. This talk will focus on MSRC's review of the MapUrlToZone API which identified several novel ways to trick Windows into thinking that a remote untrusted file exists on the local machine. We will talk about how we approached this research and exploited key differences in how MapUrlToZone and the Windows filesystem parse file paths. In total, this research identified a dozen CVEs across various vulnerability types. All of the issues covered have been fixed with CVEs in early 2025. In addition to the individual fixes for this component, we'll also cover how MSRC worked with internal teams to build more comprehensive mitigations.

🎬 More from DEFCONConference