Microsoft patched a serious security flaw in all currently supported versions of Outlook on Tuesday, April 10th. The patch fixed a flaw which allowed hackers to harvest details from users who simply previewed an infected RTF (Rich Text Format) email.
What should I do to make sure I am not vulnerable?
You should make sure your computer is up to date with the latest patches.
What is this Outlook Exploit all about?
The exploit called CVE-2018-0950 took advantage of Outlook’s method of rendering content of remote OLE objects (Object Linking and Embedding) when previewing RTF emails.
OLE is a technology developed by Microsoft to allow content from one piece of software to be embedded into another. This embedded content can be stored on remote servers and accessed using the SMB (Server Message Block) protocol.
To access the content remotely Outlook would share the account holders login credentials via SMB, including hashed passwords, with the remote SMB server. All this happens without notifying the end user.
Therefore, if the SMB server were controlled by a hacker it would enable him to steal the hashed password and crack it offline. Because most user passwords are not particularly strong this would be a relatively easy process for any determined hacker and once cracked it would give him complete access to the users’ account.
The vulnerability was first noticed by CERT researcher Will Dormann who reported it to Microsoft on 29 November 2016. Unfortunately, it has taken Microsoft close to 18 months to come up with a fix and even then the patch does not completely solve the problem.
The patch essentially prevents Outlook from initiating an SMB connection during the preview process, but it does not prevent the user from clicking on the link in the email itself. Doing so would have the same effect of sharing the users’ login details without his knowledge.
To completely secure the vulnerability, Dormann suggests installing the patch from Microsoft along with blocking inbound and outbound SMB connections at the network edge. Network admins will need to block TCP ports 445, 137 and 139 along with UDP ports 137 and 139. As a further precaution, NTLM SSO authentication should also be blocked as advised by Microsoft in November 2017.
Users should also take responsibility by implementing sufficiently complex passwords that are difficult to crack. No matter what precautions you take you can guarantee that a user will attempt to make an SMB connection to a compromised server at some point, especially now the vulnerability has been made public. The best way to do this is to implement a strong password policy and manage it using a password manager.
