Researcher: Microsoft Patch For ‘Important’ Outlook Bug Is Incomplete

Microsoft has released a fix for a security flaw in Outlook, more than a year after it was reported, but the fix is incomplete and requires further mitigations, according to the researcher who discovered the issue.

Will Dormann of the CERT Coordination Center (CERT/CC) reported the Outlook bug to Microsoft in November 2016, and Microsoft released a fix with this week’s patches.

Microsoft’s advisory on the CVE-2018-0950 flaw categorises it as an “information disclosure vulnerability”, but the bug, which involves the use of remotely hosted objects in a rich formatted email, could allow hashed passwords to be stolen, potentially allowing an attacker to gain access to a user’s system.

In its advisory Microsoft conceded that exploitation is “more likely” now that the issue has been made public. Microsoft ranked the bug as “important”.

Malicious object

When Microsoft applications such as Word, Excel and PowerPoint encounter remotely hosted OLE objects, they prompt the user before rendering them as a security precaution.

Dormann found that Outlook didn’t do so, leaving the door open to potential misuse.

In one proof of concept attack, Dormann found an email with an embedded OLE object could be used to initiate a request to a remote, malicious SMB server. When that happened, the user’s
Windows system would attempt to authenticate on the malicious server.

As part of authentication, the system would transmit the user’s hashed NT LAN Manager (NTLM) password. The attacker could then attempt to crack the encryption offline, and use it to gain  access to the target.

The attack was initiated when the user opened or previewed the malicious email.

Not all attacks blocked

Microsoft’s patch prevents Outlook from initiating SMB connections when it previews rich formatted emails, but Dormann noted that the fix doesn’t prevent all SMB attacks.

For instance, an attacker could embed a link into an email connected to a malicious SMB server. Outlook would automatically render such links clickable, and if a user clicks on it the same information leak could occur.

“If a user clicks on an SMB link… this behaviour will still cause a password hash to be leaked,” Dormann wrote in his assessment of the issue.

He said network administrators should take other precautions, including blocking specific ports used for incoming and outgoing SMB sessions, blocking NTLM single sign-on for external resources and requiring the use of longer passphrases instead of passwords.

Do you know all about security? Try our quiz!