Haifei Li, a security researcher has discovered a critical Remote Code Execution bug in Microsoft Outlook, which he calls BadWinmail vulnerability. He has created a proof of concept and a video demonstrating this bug. He has released a paper & demo describing the critical vulnerability.
Receive Just An Email And You Are Hacked!
Haifei Li named this vulnerability BadWinmail. Successful exploitation of this vulnerability can cause the PCs infected with just one email. It is rather concerning that just receiving the mail is enough to cause the damage and no user action is required. Victims don’t need to click or open any attachments or even open the mail to become infected. This makes it the most favorite attack vector for cyber criminals, targeting enterprises.
Normally applications run codes in their own sandbox, which leaves the machine isolated from any potentially dangerous objects, like flash content. But Outlook doesn't and it runs everything in normal mode. MSOffice uses OLE Technology(Object linking and Embedding) by which objects can be embedded in MS Office files, including Outlook emails. The bug lies here, it means that any malicious code in embedded objects can be run like any other software that is installed on the victim's PC.
Successful Attack Vectors Developed.
The security researcher has tested and confirmed a novel attack vector to attack Outlook users via emails. Thus a flash (or other types of) exploit can be packed and delivered via a TNEF email (or MSG attachment). The most serious impact is that the exploit will get executed as long as the Outlook user reads/previews the attacking email.
Impact : Enterprise Killer Vulnerability.
Successful exploitation allows the attacker to take control of the victim’s computer immediately. This makes BadWinmail an ideal attacking technique for targeted/APT attacks because of its severity. All the attacker needs to know is the victim’s email address.
"It’s a 'killer' exploit-delivering method as usual tricks such as delivering via email attachments or delivering via URLs(in email bodies) require additional user interactions and are protected by various application sandboxes. It’s also a wormable issue rarely seen on Windows platform nowadays.",says the author in his disclosure mail to seclists.org.
Haifei Li had reported this bug to Microsoft and it was fixed on December 8. However, if the software is not updated it is still vulnerable to attacks. So it is recommended to install the specific updates and patches. Further, Microsoft has suggested some workarounds like disabling message previews & disable reading Outlook email messages in HTML. For more details refer Microsoft Office RCE Vulnerability – CVE-2015-6172