BadWinmail: the really bad Outlook flaw

An extremely troubling discovery had been made in Windows Outlook by Haifei Li, a security researcher currently employed by McAfee.

An extremely troubling discovery had been made in Windows Outlook by Haifei Li, a security researcher currently employed by McAfee. The problem is so huge that Haifei Li has given it a “personal” name – BadWinmail. The problem affects, first and foremost, enterprise users of the software.

Outlook is an extremely popular software, with a history of various security issues in the past. Microsoft applied Herculean efforts to make it safer, of course: potentially risky files prompt warning dialogs, certain attachments cannot be opened directly, and Office docs are opened in Protected View mode in MS Office (essentially, in a sandbox).

“However, in-depth research has shown that there are critical security problems in Outlook, which can be leveraged to bypass those forementioned mitigations,” Haifei Li writes.

He has discovered a novel attack vector in Outlook, which allows an anonymous attacker to take control of a computer via just an email.

Haifei Li writes that Outlook supports Object Linking and Embedding (OLE) technology, the same one used in Office Word, Excel, PowerPoint and WordPad applications. In fact, there is the possibility to “build” a TNEF message (Transport Neutral Encapsulation Format, Microsoft’s own email format) and send it to the user. And when the user reads the email, the embedded OLE object will be loaded automatically.

According to the author’s tests, various OLE objects can be loaded via emails, which poses a huge security problem. Outlook blocks various unsafe attachments, as well as only allowing Office documents to be opened in its Sandbox, however, the discovered feature breaks all of these security efforts.

“I’ve tested and confirmed that the Flash OLE object… can be loaded via the feature. By packing a Flash exploit in an OLE-enabled TNEF email, an attacker can archive full code execution as long as the victim reads the email,” Haifei wrote.

Yet another way to embed OLE discovered by the researcher: .msg file format, which Outlook considers “safe”. It also can be used to deliver OLE object.

Haifei says that unlike Office, there is no sandbox for Outlook, which makes it vulnerable to Flash exploits.

“…If the attacker sends an email to the victim with an embedded Flash exploit (via the “TNEF” format), as long as the victim reads (or we may say, preview) the email, the Flash exploit will be executed in the “outlook.exe” process and it will give the attacker the same privilege of the current user – an ideal way to take control of the victim’s system! Since Outlook will preview the newest email automatically upon launching, it means that if the attacking email is the newest one, the victim has no choice to avoid being attacked – he/she doesn’t even need to read/preview the attacking email,”  Haifei wrote, adding a couple of grim examples of what can be done.

Take a look at this demo:

Summing up, an attacker can attack anybody if the victim is using Outlook on a Windows 8/8.1/10 system, or a Windows 7 which has the Flash ActiveX for IE installed. All the attacker needs to know is the email address of the victim. All the victim needs to do is read/preview the email sent from the attacker. This is an ideal technology for targeted attacks, researchers say, adding that the flaw is very much “wormable”: compromising one computer via email, the worm may gather all the contacts and then send the same exploit via email to all the contacts to spread.

Now the good news: before announcing the flaw, Haifei Li worked with Microsoft, and the company delivered the appropriate fixes in the form of MS15-131 (CVE-2015-6172).

If for some reason the patch cannot be applied, there are a couple of workarounds. First, reading emails in plain text only.

Also, there’s the possibility to alter the register keys for Outlook to prevent it from loading Flash content.

Exploit prevention technologies such as Kaspersky Lab’s AEP, are a fitting security layer here.

The full report by Haifei Li is available at this link.