13
APRIL, 2018

Microsoft Outlook
SMB
Vulnerability

A vulnerability in Microsoft Outlook (CVE-2018-0950) allows hackers to easily steal sensitive information, including users’ Windows login credentials.

The exploit uses the SMB (server message block) vulnerability to take control over affected systems and considering 65% of organisations incorrectly thought they had patched the SMBv1 vulnerability, it leaves them exposed to increasingly popular “fileless” and “living off the land” attacks.

Since Microsoft Outlook automatically renders remotely-hosted OLE content, when an RTF (Rich Text Format) email message is sent from the attacker and previewed by the victim it automatically initiates SMB connections using single sign-on (SSO).

Microsoft Outlook Vulnerability
Screenshot of RTF email

Without any further user interaction, this can then hand over the victim’s username and NTLMv2 hashed version of the password, potentially allowing the attacker to gain access to the victim’s system.

The following image shows how authentication via the SMB protocol works in combination with the NTLM response authentication mechanism.

A patch has finally been issued, however it does not address the problem at the core of the issue, it only blocks Outlook from initiating SMB connections when previewing rich formatted emails. Therefore, the fix does not prevent all SMB attacks.

Recommendations

Apply the Microsoft update for CVE-2018-0950, found here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0950

Keep Up To Date

Join our mailing list to receive the latest news and updates from Secrutiny.

We hate spam and promise to keep your email address safe. You can always unsubscribe at any time…