Microsoft used yesterday’s Patch Tuesday to “fix” a longstanding vulnerability in Outlook. The flaw has been known about for nearly two years and can result in password hashes leaking when a Rich Text Format (RTF) is previewed. However, not all is what it seems.
The reason I put the word fix in quotation marks above is because the patch does not stop all attacks. That’s according to Will Dormann, a CERT/CC analyst who originally discovered the Outlook flaw in November 2016.
Outlook’s way of handling RTF email with Object Linking and Embedding (OLE) objects on a remote SMB (Server Message Block) is the root of the problem. The SMB network file-sharing protocol uses Microsoft’s NT LAN Manage (NTLM) authentication for creating a connection between the SMB and Windows.
Dormann found this authentication protocol was not used on content loaded from a remote SMB server. In Outlook, this means the service does not load web-hosted image automatically in emails in case it leaks important metadata. However, the limitation is not available when an RTF email message with an OLE Object from a remote SMB server is previewed.
When previewing a malicious email, a user could unwittingly give away information such as their username, domain name, host name, SMB key, and more. Dormann tested how hard it would be to crack passwords and found simple passwords could be bypassed in seconds. Low case letters took just 16 minutes, and an 8-digit passcode with upper/lower case letters, numbers, and symbols would take at least a year.
Patch Tuesday
Microsoft has been very slow to shore up this problem. However, on Patch Tuesday yesterday the company did issue a fix. However, Dormann believes the patch does not stop all remote SMB attacks.
“This fix helps to prevent the attacks outlined above. It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above. For example, if an email message has a UNC-style link that begins with “\\”, clicking the link initiates an SMB connection to the specified server.”
Not is all lost. Microsoft did patch against many types of attacks, but it is clear there is still a vulnerability. Dormann suggests the following mitigations to ensure Outlook is safer against remote SMB attacks:
- Install Microsoft update CVE-2018-0950. This update prevents automatic retrieval of remote OLE objects in Microsoft Outlook when rich text email messages are previewed. If a user clicks on an SMB link, however, this behavior will still cause a password hash to be leaked.
- Block inbound and outbound SMB connections at your network border. This can be accomplished by blocking ports 445/tcp, 137/udp, 139/udp, as well as 137/udp and 139/udp.
- Block NTLM Single Sign-on (SSO) authentication, as specified in Microsoft Security Advisory ADV170014. Starting with Windows 10 and Server 2016, if the EnterpriseAccountSSO registry value is created and set to 0, SSO authentication will be disabled for external and unspecified network resources. With this registry change, accessing SMB resources is still allowed, but external and unspecified SMB resources will require the user to enter credentials as opposed to automatically attempting to use the hash of the currently logged-on user.
- Assume that at some point your client system will attempt to make an SMB connection to an attacker’s server. For this reason, make sure that any Windows login has a sufficiently complex password so that it is resistant to cracking. The following two strategies can help achieve this goal:
- Use a password manager to help generate complex random passwords. This strategy can help ensure the use of unique passwords across resources that you use, and it can ensure that the passwords are of a sufficient complexity and randomness.
- Use longer passphrases (with mixed-case letters, numbers and symbols) instead of passwords. This strategy can produce memorable credentials that do not require additional software to store and retrieve.
