In November 2016, Microsoft was alerted to a vulnerability in Microsoft Outlook by security researcher Will Dormann. Only this month-18 months later, has Microsoft released a patch to address the flaw. Having said that, it is only a partial fix!
Dormann discovered that the Microsoft Outlook flaw (CVE-2018-0950) can enable attackers to steal confidential information like Windows login credentials, by simply convincing victims to preview an email with Microsoft Outlook and without any further user interaction at all.
The Microsoft Outlook vulnerability draws on the way that Microsoft Outlook renders remotely-hosted OLE content when a RTF (Rich Text Format) email is previewed and automatically initiates SMB connections.
OLE is a Microsoft technology that allows content from one program to be embedded into a document handled by another program.
Server Message Block (SMB) is a network protocol used by Windows-based computers that allows systems within the same network to share files. So, a file on a remote server can be accessed in much the same way that a file on a local drive can be accessed.
Microsoft Outlook is an email client that comes with Microsoft Office. Outlook includes the ability to send rich text (RTF) email messages. These messages can include OLE objects within them.
How it all fits together
- Microsoft Outlook can create and render RTF email messages
- RTF documents (including email messages) can include OLE objects
- SMB enables OLE objects to live on remote servers.
When Microsoft Outlook views a HTML message that has a remote image on a web server the remote image is not automatically loaded. If this were allowed, the client system’s IP address and other metadata could be leaked. So, this restriction helps to protect against a web bug being used in email messages.
However, Dormann found that when a similar message is viewed in Outlook in RTF an OLE document is loaded from a remote SMB server, instead of a remote image file. Outlook behaves differently. Outlook usually blocks remote web content to protect against privacy risk of web bugs, but with a rich text email, the OLE is automatically loaded without any user interaction and the OLE object functions like a web bug.
This results in the IP address, domain name, username, hostname and SMB session key being leaked.
Additionally, the vulnerability can result in a Denial of Service (DNS) attack: Windows will crash with a Blue Screen of Death and with each following launch of Outlook (after the encounter), Windows will continue to crash as Windows remembers the previous email message that was open, causing a denial of service.
Furthermore, password hashes can be collected. The flaw allows attackers to determine the user’s password. If the user’s password is not complex enough, an attacker may be able to crack the password in a very short amount of time. More complex passwords could still be easily cracked by attackers using tools and services to do so.
Microsoft endeavoured to address the flaw (albeit 18 months later) with the latest security patch this month, but it only successfully fixed automatic SMB connections when it previews RTF emails, so any other SMB attack remains possible.
“It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above,” Dormann added. “For example, if an email message has a UNC-style link that begins with “\\”, clicking the link initiates an SMB connection to the specified server.”
Just another reason why our customers need and use Galaxkey…
Vulnerabilities such as this one, demonstrate and emphasise the need for an extra layer of robust security. This is just another reason why our customers need and choose to use Galaxkey to protect their confidential data.
Carnegie Mellon University Software Engineering Institute
The Hacker News: