What is Dead May Never Die: The Ghost of Internet Explorer in Windows: MapUrlToZone

Presented at DEF CON 33 (2025), Aug. 8, 2025, 1 p.m. (45 minutes).

In 2023, Microsoft detected a nation state actor (Forest Blizzard/STRONTIUM) exploiting a "zero-click" remote code execution vulnerability in Outlook by sending a malicious email. Microsoft fixed this in part by adding a call to the MapUrlToZone API, which determines where a path is located so callers can make a trust decision. Critical components like Outlook, Office, Windows Shell and sandboxes rely on MapUrlToZone to make intelligent security decisions, but little research has historically focused on MapUrlToZone itself. Microsoft Security Response Center has a unique role in analyzing systemic trends in areas like this and drive deep technical research to remediate security issues. This talk will focus on MSRC's review of the MapUrlToZone API which identified several novel ways to trick Windows into thinking that a remote untrusted file exists on the local machine. We will talk about how we approached this research and exploited key differences in how MapUrlToZone and the Windows filesystem parse file paths. In total, this research identified a dozen CVEs across various vulnerability types. All of the issues covered have been fixed with CVEs in early 2025. In addition to the individual fixes for this component, we'll also cover how MSRC worked with internal teams to build more comprehensive mitigations. References: - There is very little prior research on MapUrlToZone. Our main reference point was Ben Barnea's recent research [link](https://www.akamai.com/blog/security-research/critical-vulnerability-create-uri-remote-code-execution), [link](https://www.akamai.com/blog/security-research/chaining-vulnerabilities-to-achieve-rce-part-one).

Presenters:

• George Hughey
  George is passionate about Windows Security and improving the security landscape for all Windows users. Over the past five years as a member of MSRC's Vulnerabilities and Mitigations Team, George has investigated various components in Windows, hunting for and remediating the most pervasive vulnerabilities in the ecosystem.
• Rohit Mothe
  Rohit Mothe is a Security Researcher on the Vulnerabilities & Mitigations team at the Microsoft Security Response Center (MSRC) and has experience researching and exploiting vulnerabilities for over a decade in various roles.

Similar Presentations:

• DEF CON 32 (2024) / Outlook Unleashing RCE Chaos: CVE-2024-30103 & CVE-2024-38021
• CanSecWest 2024 / Rolling in the Dough: How Microsoft Identified and Remediated a Baker’s Dozen of Security Threats in the Windows DNS Server
• DEF CON 31 (2023) / Azure B2C 0-Day: An Exploit Chain from Public Keys to Microsoft Bug Bounty