Windows security: Microsoft patch for Outlook password leak bug 'not a full fix'

Attackers can make Outlook leak password hashes just by previewing an RTF-formatted email.
Written by Liam Tung, Contributing Writer

Video: When it comes to malware, Windows 10 is twice as secure as Windows 7

Microsoft has fixed an important Outlook bug it's known about for over a year, capable of leaking password hashes when users preview a Rich Text Format (RTF) email with remotely hosted OLE objects.

The bug, reported by CERT/CC vulnerability analyst Will Dormann in November 2016, was finally fixed in yesterday's Patch Tuesday release.

The risk to passwords stems from how Outlook handles RTF email with Object Linking and Embedding (OLE) objects that are hosted on a remote SMB server.

SMB (Server Message Block) is a network file-sharing protocol. SMB servers can use Microsoft's NT LAN Manager (NTLM) authentication protocol for establishing a connection between a Windows client and an SMB server.

In 2016, Dormann discovered that Microsoft didn't apply the same restrictions on content loaded from a remote SMB server as it did for web-hosted content.

Download now: Password management policy

Outlook won't, for example, automatically load web-hosted images in email because it may leak a client's IP address and metadata details such as the time the email is viewed.

However, this precaution isn't present in Outlook when recipients preview an RTF email message with an OLE object loaded from a remote SMB server.

Dormann discovered that the OLE-SMB scenario also leaks much more than a user's IP address. As soon as the email is previewed, the PC automatically negotiates an SMB session with a potentially malicious remote SMB server, which in turn leaks the client's IP address, domain name, user name, host name, and the SMB session key in the form of an NTLM over SMB password hash.

The immediacy of the threat from such an attack would depend on the strength of the target's password.

Dormann's test with two password crackers on a mid-range GPU cracked simple passwords like 'test' within seconds.

Eight-character passwords consisting of all lower-case randomly generated letters could be cracked in just 16 minutes in a worst-case scenario, while an eight-character passphrase with mixed-case letters, digits, and symbols would take at least one year with this minimal set-up.

However, Dormann notes that Microsoft's fix for the vulnerability CVE-2018-0950 doesn't prevent all remote SMB attacks.

Instead of loading a remote image, the attacker could send the target a Universal Naming Convention (UNC) link beginning with '\\' to direct the user to a malicious SMB server, which will still automatically begin an SMB session that leaks the same data. But the victim would need to click the link rather than merely preview the email.

Related: 20 pro tips to make Windows 10 work the way you want (free PDF)

He recommends installing the Microsoft patch but advises admins to take other precautions, including blocking specific TCP and UDP ports for incoming and outgoing SMB sessions, blocking NTLM single sign-on to external resources, and requiring users to use longer passphrases over passwords.

Microsoft is of the view that this bug is "more likely" to be exploited now that it's known.

Microsoft has provided patches for 63 vulnerabilities in this month's update, including 22 critical flaws.

Previous and related coverage

Windows 10 security: Microsoft patches critical flaw in Windows Defender

Just scanning a specially-crafted file could lead to a totally compromised Windows machine.

Windows RDP flaw: 'Install Microsoft's patch, turn on your firewall'

Attackers can use a protocol bug in Windows RDP to steal session authentication and take over a network domain.

Windows patches: Microsoft kills off Word's under-attack Equation Editor, fixes 56 bugs

Microsoft removes Equation Editor from Word after finding more attacks on Office users.

Windows 10 update: Microsoft's latest bug fixes include AMD reboot patches

New Windows 10 build includes fixes for unbootable AMD CPUs for those who didn't patch them manually.

Windows security: Microsoft issues Adobe patch to tackle Flash zero-day

Microsoft is protecting Windows users from a Flash Player flaw exploited by suspected North Korean hackers.

Windows 10: Microsoft lifts block on security updates after sorting out AV clash (TechRepublic)

The removal of the AV compatibility checks will mean that patches to mitigate the risk from Spectre and Meltdown attacks released since January will now be available to a wider range of PCs.

Editorial standards