Microsoft has released a fix for a security flaw in Outlook, more than a year after it was reported, but the fix is incomplete and requires further mitigations, according to the researcher who discovered the issue.
Will Dormann of the CERT Coordination Center (CERT/CC) reported the Outlook bug to Microsoft in November 2016, and Microsoft released a fix with this week’s patches.
Microsoft’s advisory on the CVE-2018-0950 flaw categorises it as an “information disclosure vulnerability”, but the bug, which involves the use of remotely hosted objects in a rich formatted email, could allow hashed passwords to be stolen, potentially allowing an attacker to gain access to a user’s system.
In its advisory Microsoft conceded that exploitation is “more likely” now that the issue has been made public. Microsoft ranked the bug as “important”.
When Microsoft applications such as Word, Excel and PowerPoint encounter remotely hosted OLE objects, they prompt the user before rendering them as a security precaution.
Dormann found that Outlook didn’t do so, leaving the door open to potential misuse.
In one proof of concept attack, Dormann found an email with an embedded OLE object could be used to initiate a request to a remote, malicious SMB server. When that happened, the user’s
Windows system would attempt to authenticate on the malicious server.
As part of authentication, the system would transmit the user’s hashed NT LAN Manager (NTLM) password. The attacker could then attempt to crack the encryption offline, and use it to gain access to the target.
The attack was initiated when the user opened or previewed the malicious email.
Microsoft’s patch prevents Outlook from initiating SMB connections when it previews rich formatted emails, but Dormann noted that the fix doesn’t prevent all SMB attacks.
For instance, an attacker could embed a link into an email connected to a malicious SMB server. Outlook would automatically render such links clickable, and if a user clicks on it the same information leak could occur.
“If a user clicks on an SMB link… this behaviour will still cause a password hash to be leaked,” Dormann wrote in his assessment of the issue.
He said network administrators should take other precautions, including blocking specific ports used for incoming and outgoing SMB sessions, blocking NTLM single sign-on for external resources and requiring the use of longer passphrases instead of passwords.
Do you know all about security? Try our quiz!
Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…
Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC
Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…
Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…
Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…
Elon Musk continues to provoke the ire of various leaders around the world with his…