CVE 2018-0950 is the name given to the information disclosure vulnerability of Outlook for which Microsoft released a vulnerability patch this month. This release came almost after 18 months of receiving the report disclosing the bug.
It was Will Dormann who discovered this vulnerability in 2016. He is a software vulnerability analyst with Carnegie Mellon Software Engineering Institute’s CERT Coordination Center (CERT/CC) since 2004.
This vulnerability can result in the disclosure of sensitive information to a malicious site. Thus, Microsoft Outlook users need to be aware of this vulnerability and its safeguards.
Threat Analysis of ‘important’ leak bug and its impact
As discovered by Dormann, the CVE2018-0950 flaw affects Microsoft Outlook software, when it renders Rich Text Format (RTF) email messages containing remotely hosted OLE objects hosted on SMB (Server Message Block) server (under the control of attackers).
However, other Microsoft applications such as Word, Excel and PowerPoint when encounter remotely hosted OLE objects, notify the user before rendering them, as a security precaution. But as found by Dormann, Outlook did not do so, thus, allowing attackers with an easy access to the user’s system on opening or previewing such mails.
Hackers can easily use this vulnerability to steal sensitive information, including users’ Windows login credentials or hashed passwords, just by sending an RTF-formatted email to a victim and convincing him/her to preview or open that email with Microsoft Outlook, without the need of any further interaction.
It automatically initiates a connection to a remote, malicious SMB server which leaks the victim’s IP address, user name, domain name, host name, and the NTLM Over Server Message Block (SMB) password.
“By convincing a user to preview an RTF email message with Microsoft Outlook, a remote, unauthenticated attacker may be able to obtain the victim’s IP address, domain name, user name, host name, and password hash. This password hash may be cracked offline. This vulnerability may be combined with other vulnerabilities to modify the impact. For example, when combined with VU#867968, an attacker could cause a Windows system to blue-screen crash (BSOD) when a specially-crafted email is previewed with Microsoft Outlook”.- CERT
Combine with an SMB vulnerability, and you’ve got some real fun. pic.twitter.com/qlguR5npl8
— Will Dormann (@wdormann) April 10, 2018
Microsoft Security update for CVE 2018-0950- a partial fix
In an attempt to patch the issue, Microsoft released a fix in its Microsoft Patch Tuesday update April 2018, which however prevents Outlook from automatically initiating SMB connections while previewing RTF emails, but fails to prevent all SMB attacks.
Note that even with the update, Outlook users are still a single click away from the exact same impact. pic.twitter.com/UM7LOoiHtM
— Will Dormann (@wdormann) April 10, 2018
So, Windows users are advised to adopt some safeguards to mitigate this vulnerability.
Recommended Safeguards
- Install Microsoft patch update and apply for vulnerability CVE-2018-0950.
- Block specific ports like 445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp which are used for SMB sessions, both incoming and outgoing.
- Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
- Prefer using complex and long passwords that cannot be cracked easily.
- Avoid clicking on suspicious links added in the emails.
Please add comments in the section below.
