Share This Post

Articles

How to safeguard yourself from getting hacked due to a flaw in Microsoft Outlook?

Microsoft outlook flaw-featured-

CVE 2018-0950 is the name given to the information disclosure vulnerability of Outlook for which Microsoft released a vulnerability patch this month. This release came almost after 18 months of receiving the report disclosing the bug.

It was Will Dormann who discovered this vulnerability in 2016. He is a software vulnerability analyst with Carnegie Mellon Software Engineering Institute’s CERT Coordination Center (CERT/CC) since 2004.

This vulnerability can result in the disclosure of sensitive information to a malicious site. Thus, Microsoft Outlook users need to be aware of this vulnerability and its safeguards.

Microsoft Outlook vulnerability

Threat Analysis of ‘important’ leak bug and its impact

 As discovered by Dormann, the CVE2018-0950 flaw affects Microsoft Outlook software, when it renders Rich Text Format (RTF) email messages containing remotely hosted OLE objects hosted on SMB (Server Message Block) server (under the control of attackers).

However, other Microsoft applications such as Word, Excel and PowerPoint when encounter remotely hosted OLE objects, notify the user before rendering them, as a security precaution. But as found by Dormann, Outlook did not do so, thus, allowing attackers with an easy access to the user’s system on opening or previewing such mails.

Hackers can easily use this vulnerability to steal sensitive information, including users’ Windows login credentials or hashed passwords, just by sending an RTF-formatted email to a victim and convincing him/her to preview or open that email with Microsoft Outlook, without the need of any further interaction.

It automatically initiates a connection to a remote, malicious SMB server which leaks the victim’s IP address, user name, domain name, host name, and the NTLM Over Server Message Block (SMB) password.

“By convincing a user to preview an RTF email message with Microsoft Outlook, a remote, unauthenticated attacker may be able to obtain the victim’s IP address, domain name, user name, host name, and password hash. This password hash may be cracked offline. This vulnerability may be combined with other vulnerabilities to modify the impact. For example, when combined with VU#867968, an attacker could cause a Windows system to blue-screen crash (BSOD) when a specially-crafted email is previewed with Microsoft Outlook”.- CERT

Microsoft Security update for CVE 2018-0950- a partial fix

In an attempt to patch the issue, Microsoft released a fix in its Microsoft Patch Tuesday update April 2018, which however prevents Outlook from automatically initiating SMB connections while previewing RTF emails, but fails to prevent all SMB attacks.

So, Windows users are advised to adopt some safeguards to mitigate this vulnerability.

 Recommended Safeguards

  • Install Microsoft patch update and apply for vulnerability CVE-2018-0950.
  • Block specific ports like 445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp which are used for SMB sessions, both incoming and outgoing.
  • Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
  • Prefer using complex and long passwords that cannot be cracked easily.
  • Avoid clicking on suspicious links added in the emails.

Also read:McAfee Cloud Workload Security with container support to aid enterprises accelerate cloud business with compliance and security.

Please add comments in the section below.

Rate this post

Share This Post

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Skip to toolbar