Microsoft Outlook flaw opens the door to “mailbomb” attacks

Pierluigi Paganini December 18, 2015

Microsoft fixed a vulnerability in Microsoft Outlook that could allow remote code execution if the victim opens a specially crafted Office doc.

Microsoft recently fixed a number of critical bugs with the last “Patch Tuesday” issued on December 8, including an update to the Microsoft Office suite to fix a number of security issues. One of the flaws, the CVE-2015-6172 vulnerability, could be exploited by attackers for remote code execution through a “specially crafted Microsoft Office file”.

“This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.” states the Microsoft Security Bulletin.

The vulnerability affects Office 2010 and later, as well as Microsoft Word 2007 with Service Pack 3.

As explained by the security researcher Haifei Li in a paper entitled “BadWinmail: The ‘Enterprise Killer’ Attack Vector in Microsoft Outlook,” and attacker can exploit the vulnerability by sending a crafted attachment via e-mail to bypass Outlook’s layers of security by exploiting Office’s Object Linking and Embedding (OLE) capabilities and Outlook’s Transport Neutral Encapsulation Format (TNEF).

The winmail.dat file includes instructions on how to Microsoft Office handles attachments, before the patch release OLE objects were rendered within the e-mail and call code from the application they’re based on escaping the Outlook security  “sandbox.”

“When the value of the ‘PidTagAttachMethod’ [within winmail.dat] is set to ATTACH_OLE (6),” Haifei wrote, “the ‘attachment file’ (which is another file contained in the winmail.dat file) will be rendered as an OLE object.”

As a result, an attacker could create a specific  a TNEF e-mail and send it to the targeted user to launch the attack.

“Such a feature could allow us to “build” a TNEF email and send it to the user, when the user reads the email, the embedded OLE object will be loaded automatically. ” states the expert. ” According to the author’s tests, various OLE objects can be loaded via emails; this poses a big security problem.”

Microsoft Outlook attack

Phishing attacks that rely on this technique are very dangerous because to compromise the victim machine, it is sufficient that the malicious message is viewed by the user.

“By packing a Flash exploit in an OLE enabled TNEF e-mail, an attacker can [achieve] full code execution as long as the victim reads the e-mail,” he reported. “We use Flash OLE object as an example since Flash (zero-day) exploits are easy to obtain by attackers, but please note that there are other OLE objects [that] may be abused by [an] attacker.”

Haifei noted that the vulnerability could also be triggered by the content of the email instead the attachment because Outlook automatically considers .msg files as “safe” and opens them in an Outlook message view rather than sandboxing them. This means that OLE content embedded in the content of the email will be automatically opened.

Don’t waste time, apply the patch and turn off the message preview pane in Microsoft Outlook.

Haifei also suggested to change to registry keys with an “Office kill-bit” to block Flash content from automatically opening via OLE, by blocking the CLSID D27CDB6E-AE6D-11cf-96B8-444553540000.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]"Compatibility Flags"=dword:00000400

This setting will prevent protect you from OLE-embedded Flash exploits.

Pierluigi Paganini

(Security Affairs – Microsoft Outlook, hacking)

you might also like

leave a comment