Flaw in Microsoft Outlook Lets Hackers Easily Steal Your Windows Password
From a blog post by thehackernews.com, and many other blog posts similar, almost 18 months ago, a security researcher Will Dormann of the CERT Coordination Center (CERT/CC) has found a severe vulnerability in Microsoft Outlook (CVE-2018-0950), 18 months has passed but Microsoft partially addressed it with the last Patch Tuesday updates.
The flaw in Microsoft Outlook ties the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) email is previewed and automatically initiates SMB connections.
The CVE-2018-0950 flaw could be exploited by attackers to steal sensitive data such as Windows login credentials by tricking victims into preview an email with Microsoft Outlook,
“Outlook blocks remote web content due to the privacy risk of web bugs. But with a rich text email, the OLE object is loaded with no user interaction. Let’s look at the traffic in Wireshark to see what exactly is being leaked as the result of this automatic remote object loading.” wrote Dormann.
The vulnerability, discovered by Will Dormann of the CERT Coordination Center (CERT/CC), resides in the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) email message is previewed and automatically initiates SMB connections.
The attack scenario sees a remote attacker exploiting the vulnerability by sending an RTF email to the victim, the malicious message contains an image file (OLE object) that is loaded from a remote SMB server under the control of the attackers.
How does this affect me?
In the below Wireshark Packet Capture, it is clear that an attacker can use this type of attack to capture more than just an email precipitant IP address, but utilizing the CVE vulnerability the attacker now has access to User Names, Host Names, and Session Keys.
Here we can see than an SMB connection is being automatically negotiated. The only action that triggers this negotiation is Outlook previewing an email that is sent to it.
Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on a SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO).” states the CERT. “This may leak the user’s IP address, domain name, user name, host name, and password hash. If the user’s password is not complex enough, then an attacker may be able to crack the password in a short amount of time.”
What should I be looking for?
Microsoft Outlook automatically renders OLE content, this means that it will initiate an automatic authentication with the attacker’s controlled remote server over SMB protocol using single sign-on (SSO). This will cause the leak of NTLMv2 hashed version of the password that could be cracked by the attacks with commercial tools and services.
“It is important to realize that even with the recent patch, a user is still a single click away from falling victim to the types of attacks described above,” Dormann said. “For example, if an email message has a UNC-style link that begins with “\\”, clicking the link initiates an SMB connection to the specified server.”
What Versions of Office Products does this affect?
- Microsoft Office 2007 Service Pack 1 – 3
- Microsoft Office 2010 Service Pack 1 – 2
- Microsoft Office 2013 Service Pack 1
- Microsoft Office 2016
All the versions of the above Microsoft Office products are currently affected and all previous versions even if you have not patched your office product to a service pack above. This also affects both versions of 32-bit and 64-bit software versions as well.
At this time there is no report that this vulnerability has affected any of the Apple Mac versions of the Microsoft Office suite.
Why would your Windows PC automatically hand over your credentials to the attacker’s SMB server?
This is how authentication via the Server Message Block (SMB) protocol works in combination with the NTLM challenge/response authentication mechanism, as described in the following image.
Dormann reported the vulnerability to Microsoft in November 2016, and in an attempt to patch the issue, the company released an incomplete fix in its April 2018 patch Tuesday update—that’s almost 18 months of the reporting.
The security patch only prevents Outlook from automatically initiating SMB connections when it previews RTF emails, but the researcher noted that the fix does not prevent all SMB attacks.
How do I fix this?
Microsoft attempted to address the flaw in the last security updates, but it only successfully fixed automatically SMB connections when it previews RTF emails, any other SMB attack is still feasible.
If you have already installed the latest Microsoft patch update, that’s great, but attackers can still exploit this vulnerability. So, Windows users, especially network administrators at corporates, are advised to follow the below-mentioned steps to mitigate this vulnerability.
- Apply the Microsoft update for CVE-2018-0950, if you have not yet.
- Block specific ports (445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp) used for incoming and outgoing SMB sessions.
- Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
- Always use complex passwords, that cannot be cracked easily even if their hashes are stolen (you can use password managers to handle this task).
- Most important, don’t click on suspicious links provided in emails.