There are two newly discovered (and patched) in Outlook. The first is a remote code exploit and unlike many remote code vulnerabilities, which require the user to do something, like go to a web site or open a file, th RTF/TNEF security issue runs when a targeted person opens a message. The exploit is packed in an winmail.dat file and when Outlook renders the winmail.dat, the code runs. The second exploit uses OLE objects embedded in messages which are attached to other email messages.
If you haven't already installed the Security Update for Microsoft Office to Address Remote Code Execution (3116111), which was released on December 8 2015, you should do so as soon as possible. If you are unable to install the update, read mail in plain text or use a macro to convert RTF messages to plain text as they arrive.
It's also possible to set a registry key to prevent Outlook from loading Flash content.
HKEY_LOCAL_MACHINE\âSOFTWARE\âMicrosoft\âOffice\âCommon\âCOM Compatibility\â{D27CDB6E-AE6D-11cf-96B8-444553540000}
DWORD: Compatibility Flags
Value: 00000400
As always, user accounts with fewer user rights on the system could be less impacted than those who operate with administrative user rights.
For more information about this exploit, see https://sites.google.com/site/zerodayresearch/BadWinmail.pdf
A demo is available on YouTube
OLE Exploit
The OLE exploit is detailed here: #OLEOutlook - bypass almost every Corporate security control with a pointânâclick GUI.
To mitigate this issue (and any new ones that crop up) you can configure Outlook to hide OLE attachments using group policy or setting a registry key.
Outlook 2016
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\security DWORD: ShowOLEPackageObj Value: 0
Outlook 2013
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Outlook\security DWORD: ShowOLEPackageObj Value: 0
Outlook 2010
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0\Outlook\security DWORD: ShowOLEPackageObj Value: 0
Outlook 2007
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\security DWORD: ShowOLEPackageObj Value: 0
Wow,
Thank you for the information. Perhaps you should create an "Outlook Hardening" article. I just want to use it to read email!
Good idea. :)
Most users are at low risk from these kinds of exploits but it just takes one silly mistake...