Outlook is a web-based service, allowing users to manage their contacts, tasks, calendaring and webmail. It is a product from Microsoft, and millions of people from all over the world use it to manage their email accounts and keep up with social networks.
However, researchers have detected a major flaw in Outlook. This is not the first time when vulnerabilities in Microsoft software are exploited for malicious purposes. Just in January, 2018, Zyklon malware took advantage of flaws in Microsoft Office.
Flaws in Outlook allowed crooks to steal credentials
The bug in the web service of Outlook gave hackers an opportunity to steal users’ Windows passwords by having the target preview and email with a Rick Text Format (RTF), containing a remotely hosted OLE object. According to CERT CERT:
“By convincing a user to preview an RTF email message with Microsoft Outlook, a remote, unauthenticated attacker may be able to obtain the victim’s IP address, domain name, user name, host name, and password hash”.
The flaw (CVE-2018-0950) has been patched in the most recent Windows Patch Tuesday. Patch Tuesday is a monthly release, and Microsoft fixes bugs and malfunctions of their products. The patch of this month fixed approximately 66 bugs. With each Patch Tuesday, Microsoft services become more secure.
The flaw in Outlook is related to Windows Object Linking and Embedding ( OLE). Because of OLE, authors can include images or sounds into documents. RTF documents can contain OLE objects. Thanks to SMB, OLE objects can be found on remote servers.
Microsoft has made restrictions in Oulook for the purpose of protecting users’ privacy from web bugs. Therefore, images are prevented from automatically loading in Outlook. In addition to that, Microsoft does not allow Word and HTML formatted Outlook messages to automatically display OLE or other content unless the user permits it. The bug that researchers spotted was found with RTF documents and metadata, distributed through the SMB channel.
Other cases of bugs in Microsoft services
It is natural that researchers are bound to discover vulnerabilities in software or web services. In the case of Microsoft, its Internet Explorer Microsoft Edge browsers have both been detected to have vulnerabilities. Furthermore, bugs in Microsoft Office are also frequently exploited by cyber criminals. You should always update your software: track the Patch Tuesdays and do not hesitate to apply them to your software.
