Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Outlook Bug Doesn't Require Users To Interact With Emails To Be Compromised (softpedia.com)

Posted by timothy on from the just-positioned dept.

An anonymous reader writes: A new bug in Outlook allows attackers only to send you an email, and without clicking or downloading attachments, a user's computer can be compromised. The bug [PDF] is because Outlook allows Flash objects to be previewed without a sandbox. Flash files are demon spawns and attackers can put exploits in malicious files, which when previewed or viewed inside an Outlook application will automatically execute their payload.

18 of 102 comments (clear)

  1. Dreaming of an alternate universe. by Anonymous Coward · · Score: 2, Insightful

    How much better would the world be without Microcrap and Flash?
    Pity, they are like a plague. Like Zombies. We don't seem to able to get rid of them.

  2. Seems like Microsoft don't learn from mistakes by Z00L00K · · Score: 4, Informative

    The Melissa mail worm seems to be forgotten, but there's a new generation of coders now that weren't even in school when that occurred.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    1. Re:Seems like Microsoft don't learn from mistakes by Zontar+The+Mindless · · Score: 4, Funny

      This is what happens when companies require their workers to delete mails that are over 6 months old.

      --
      Il n'y a pas de Planet B.
    2. Re:Seems like Microsoft don't learn from mistakes by Dr_Barnowl · · Score: 4, Insightful

      They install software that stops you writing to USB drives these days, to prevent corporate secrets being stolen.

    3. Re:Seems like Microsoft don't learn from mistakes by jbengt · · Score: 4, Funny

      I ran into that a decade ago when my client needed to get me some data. But fortunately the company let their corporate secrets be written to a CD, instead.

  3. Doesn't seem like anything new by JaredOfEuropa · · Score: 5, Informative

    Years ago we were warned to turn off Outlook previews, for exactly this reason. Also, my copy of Outlook doesn't download or render attachments (or even images) unless told to, for every individual email. As far as I know, that is the default behaviour. The danger is that you can whitelist senders so that their attachments are downloaded without confirmation, and spammers often use commonly used email addresses as the originator.

    The summary is incorrect as well. FTA: "The only condition is that the user views or previews the email in which the attacker has embedded a malicious Flash file." So you still need to click. The only exception is if your Outlook is set to always download attachments, show a preview, and if the malicious email is the last one to arrive, since the mail will then be shown in the preview window upon opening Outlook.

    Lastly, Flash needs to die

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    1. Re:Doesn't seem like anything new by lucm · · Score: 4, Funny

      my copy of Outlook doesn't download or render attachments (or even images) unless told to

      That's why Lotus Notes is so amazing. Even when you tell it to, it doesn't download or render things. Security by mediocrity.

      --
      lucm, indeed.
    2. Re:Doesn't seem like anything new by cbhacking · · Score: 2

      Removing or renaming the Flash binary, making it non-executable (yes, Windows has Execute permissions, just like *nix), or de-registering it from HKCR (ActiveX is just COM, and registers by GUIDs under HKCR\Classes, or using regsvr) are all valid options here, too.

      But yes, it's pretty goddamn stupid that Outlook should execute Flash. It doesn't allow scripts in HTML email, but it allows something that is a superset of what JavaScript can do? Moronic.

      --
      There's no place I could be, since I've found Serenity...
  4. Already fixed by Anonymous Coward · · Score: 4, Informative

    Why doesn't the summary mention that this was fixed by an update released on patch tuesday dec 8?

    1. Re:Already fixed by jrumney · · Score: 2

      The editors were too busy chuckling over the irony of releasing a story about an Outlook exploit involving a Flash infection vector, with a link to the details in a PDF doc.

  5. Re:So to summarise TFA... by climb_no_fear · · Score: 3, Informative

    * It's yet another flash bug,

    It is not just Flash. If you read the article more carefully, you would have seen this (from the article):

    We use Flash OLE object as an example since Flash (zero-day) exploits are easy to obtain by attackers, but please note that there are other OLE objects may be abused by attacker, as not only Flash but also a number of other OLE objects can be loaded in Outlook.

  6. Re:So to summarise TFA... by penix1 · · Score: 2

    I am going to hit on a few of your points...

    * It's yet another flash bug, Outlook is just the host instead of IE or whatever. If you still have Flash on your system you should just assume you are pwned already and post your bank account, credit card details and nude photos straight to 4chan to shorten the painful process.

    The problem is two pronged. Yes, having flash installed is a huge risk but the other part of the prong that keeps flash alive is the multitude of sites out there that require it for whatever reason. Until those sites stop requiring flash to operate correctly, you will see flash hanging in there.

    * It only affects you if you have preview window on, _and_ the malicious email happens to be the first one in the mailbox when Outlook is started.

    You forgot to add in "and you view email in HTML." I have Outlook (at work) set to only use plain text for both receiving and sending. Allowing HTML in email is the stupidest thing ever implemented. That is what truly needs to die!

    * If you still remember when internet connection speeds were measured in baud and you had to whistle for your email, you will use email in the way $deity intended and get the headers first so (at least some of) the crap never even hits your system, making this even less likely.

    The headers won't tell you shit about embedded flash. So when 80 year old Aunt Marge gets pwned and used as a relay for this bug you still get it.

    --
    This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
  7. Flash must be evil because HTML5 is so good? by TheRealHocusLocus · · Score: 4, Insightful

    Lastly, Flash needs to die

    Just curious... why are people on a coding site declaring "Flash needs to die" instead of something like, Flash needs to be completely deconstructed and rewritten by the open source community using the most conservative style of programming, a system that forces a multi-person review of commits, hit with the best enumeration tools we have, so that arbitrary code execution is not possible? Which might be possible because processor speed has improved since it was first designed and the assembly level hacks that made it possible areno longer necessary? And when we are done, the worst thing that could ever happen is that someone might display goatse.cx inside a Flash window?

    Instead of busting into the kitchen, grabbing pans off the wall and showing the chef how steak should be done, we sit at the table banging our forks and knives, shouting, "Down with meat!"

    It's easy to make fun of Outlook, where with maliciously crafted embedded binary OLE blobs you can trigger exploits in many versions of Microsoft products. The faults lie in the products themselves not the Blob. But Flash self contained and lives inside a little rectangle. It is cross platform, amply documented and widely used today. Why must it die? So that generations of beloved Internet content can be 'destroyed' overnight? It almost smells like book-burning.

    --
    <blink>down the rabbit hole</blink>
  8. Re:Ok. by NoNonAlphaCharsHere · · Score: 4, Informative

    I really don't understand why TFS starts with "A new bug in Outlook..." - after all, it's the SAME bug in Outlook -- since about 1997. Looks like the marketing department at Microsoft, in their endless desire for yet more whizzo shit has (potentially/inevitably) won yet another Pwnie Award. Whenever I see someone with a palm-shaped bruise on their forehead, I know they're a Windows sysadmin. This one reminds me of that Windows Explorer bug that executed arbitrary code from inside image (picture) files when you opened the directory they were stored in.

    "As if millions of voices cried out 'DUH!!!' and were suddenly silenced."

  9. Re: Ok. by Anonymous Coward · · Score: 3, Funny

    Not really. The proposed new name is LookOut!

  10. Re:Ok. by penguinoid · · Score: 4, Funny

    Well, the fortune cookie did say "Outlook not so good".

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  11. important point, actually. Mail doesn't need code by raymorris · · Score: 3, Insightful

    That's actually a valid and important point. Flash files are executable code. How many dozens of significant vulnerabilities have been caused Outlook running macros, Flash, Javascript, and other types of executables embedded in emails? Outlook has at least three or four programming languages it can run from emails.

      That's entirely unnecessary. Many people, including myself, have always used email clients that just read email - they don't, and can't, execute anything. If security is important to you, it makes sense to consider whether your email reader really needs to be able run code found within emails, whether your web browser needs to also be your desktop shell, as "a fundamental part of the Windows operating system", etc. There many are huge classes of vulnerabilities that can't happen if you choose software that simply does it's job, without hundreds of tangential features bolted on unnecessarily.

  12. Re:Ok. by allo · · Score: 2

    did you mean the magic 8ball?