These days most of us won’t pay much attention to a collection of seemingly random letter and numbers with dashes, but when it comes to this one - CVE 2018-0950 - anyone using Microsoft Outlook email may want to pay a little more of it. CVE 2018-0950 is the name that’s been given to an information disclosure vulnerability of Outlook, and Microsoft released a vulnerability patch this month.
Every quality Canadian web hosting provider takes the initiative to keep their customers informed in these scenarios, and we’re no different here at 4GoodHosting. This one in fact is particularly noteworthy with the fact that Outlook is one of the most popular and common email applications. Given the nature of this flaw and the reality that much personal information can be contained in email communications, this one isn’t one to be taken lightly
The release of the patch mentioned above, however, came nearly more than 18 months after receiving the report that disclosed the bug, courtesy of one Will Dormann, a software vulnerability analyst with Carnegie Mellon Software Engineering Institute’s CERT Coordination Center.
This vulnerability can make it so that sensitive information is then disclosed to a malicious site. Obviously, Microsoft Outlook users need to be aware of this vulnerability and what safeguards are best to neutralize the risk.
Leak Bug Threat Analysis
CVE2018-0950 affects Microsoft Outlook software, and specifically by rendering Rich Text Format (RTF) email messages that contain remotely hosted OLE objects hosted on SMB (Server Message Block) server (under the control of attackers).
The situation is that when other Microsoft applications such as Word, Excel and PowerPoint encounter remotely hosted OLE objects, the user is notified as a security caution before thos messages are rendered. Here though, Outlook took no such action and allowed attackers to have an easy access to the user’s system when they opened or previewed such mails.
The resultant vulnerability makes it possible for hackers to steal sensitive information. Windows login credentials or hashed passwords are at risk of being revealed, and done by sending an RTF-formatted email to a victim and convincing the recipient to preview or open that email with Microsoft Outlook. It’s that simple, with no need for any further interaction.
The bug then initiates a connection to a remote, malicious SMB server which leaks the victim’s IP address, user name, host name, domain name, and their NTLM Over Server Message Block (SMB) password. By simply convincing the user to preview an RTF email message with Microsoft Outlook, the attacker may be able to get their hands on the victim’s IP address, domain name, user name, host name, and password hash - which may be cracked offline.
This vulnerability may be combined with other vulnerabilities to modify the impact - and with VU#867968 most notably. With this combination an attacker could cause a Windows system to blue-screen crash (BSOD) when a malicious email is previewed with Microsoft Outlook.
Not at all to say that Microsoft has been oblivious to all of this. In an attempt to patch the issue, Microsoft released a fix in its Microsoft Patch update for April 2018. It now prevents Outlook from automatically initiating SMB connections while previewing RTF emails, but it’s not far-reaching enough to prevent all SMB attacks.
Recommended Safeguards
The following safeguard moves are recommended for Windows users with the aim of mitigating this vulnerability.
- Install Microsoft patch update and apply for vulnerability CVE-2018-0950.
- Blocking of specific ports; 445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp, used for incoming and outgoing SMB sessions.
- Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
- Choose complex and long passwords that can’t be cracked easily.
- Choosing not to click on suspicious links added in any emails.
