Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Bug Security Windows

New Outlook Bug Doesn't Require Users To Interact With Emails To Be Compromised ( 102

An anonymous reader writes: A new bug in Outlook allows attackers only to send you an email, and without clicking or downloading attachments, a user's computer can be compromised. The bug [PDF] is because Outlook allows Flash objects to be previewed without a sandbox. Flash files are demon spawns and attackers can put exploits in malicious files, which when previewed or viewed inside an Outlook application will automatically execute their payload.
This discussion has been archived. No new comments can be posted.

New Outlook Bug Doesn't Require Users To Interact With Emails To Be Compromised

Comments Filter:
  • by Anonymous Coward

    How much better would the world be without Microcrap and Flash?
    Pity, they are like a plague. Like Zombies. We don't seem to able to get rid of them.

    • by gweihir ( 88907 )

      More like AIDS...

    • The only reason that I use Outlook is that I want to be compromised.
    • Apparently, it wouldn't be.

      People chose -- and keeping choosing -- Microsoft products often enough to keep the company in business and doing fine, instead buying,well, whatever else is next-best in their minds.

      And what might those products be, anyway? OS/2 and Lotus Notes, perhaps? And the the other software they might want would be what, exactly?

      Sucky though MS products often are, they work pretty well at meeting customers' needs. Well enough, anyway.

  • by Z00L00K ( 682162 ) on Saturday December 19, 2015 @05:13AM (#51149161) Homepage

    The Melissa mail worm seems to be forgotten, but there's a new generation of coders now that weren't even in school when that occurred.

  • by JaredOfEuropa ( 526365 ) on Saturday December 19, 2015 @05:52AM (#51149249) Journal
    Years ago we were warned to turn off Outlook previews, for exactly this reason. Also, my copy of Outlook doesn't download or render attachments (or even images) unless told to, for every individual email. As far as I know, that is the default behaviour. The danger is that you can whitelist senders so that their attachments are downloaded without confirmation, and spammers often use commonly used email addresses as the originator.

    The summary is incorrect as well. FTA: "The only condition is that the user views or previews the email in which the attacker has embedded a malicious Flash file." So you still need to click. The only exception is if your Outlook is set to always download attachments, show a preview, and if the malicious email is the last one to arrive, since the mail will then be shown in the preview window upon opening Outlook.

    Lastly, Flash needs to die
    • by lucm ( 889690 ) on Saturday December 19, 2015 @07:02AM (#51149395)

      my copy of Outlook doesn't download or render attachments (or even images) unless told to

      That's why Lotus Notes is so amazing. Even when you tell it to, it doesn't download or render things. Security by mediocrity.

      • by KGIII ( 973947 )

        Heh... We used Lotus back in the day. I must admit, I don't recall ever liking it. At the time, I wasn't really able to find anything better that could be rolled out as quickly and I had other things to do and no real IT staff as of yet. I made those poor bastards put up with it for years. I am sorry. But, in my defense, it did *kind of* work, most of the time, and for some definition of work.

      • That's why Gnus is so amazing...

      • by raymorris ( 2726007 ) on Saturday December 19, 2015 @03:16PM (#51150897) Journal

        That's actually a valid and important point. Flash files are executable code. How many dozens of significant vulnerabilities have been caused Outlook running macros, Flash, Javascript, and other types of executables embedded in emails? Outlook has at least three or four programming languages it can run from emails.

          That's entirely unnecessary. Many people, including myself, have always used email clients that just read email - they don't, and can't, execute anything. If security is important to you, it makes sense to consider whether your email reader really needs to be able run code found within emails, whether your web browser needs to also be your desktop shell, as "a fundamental part of the Windows operating system", etc. There many are huge classes of vulnerabilities that can't happen if you choose software that simply does it's job, without hundreds of tangential features bolted on unnecessarily.

    • by Anonymous Coward

      Lastly, Flash needs to die

      I think the summary already covered that adequately with

      Flash files are demon spawns

      • by mlts ( 1038732 )

        The sad thing, I seem to be seeing a resurgence in Flash because some website designers think that if they put all their content in a huge Flash file, that nobody can steal their pictures or content. I thought all Flash sites were left in the ashbin history, but I've stumbled upon several recently.

    • Removing or renaming the Flash binary, making it non-executable (yes, Windows has Execute permissions, just like *nix), or de-registering it from HKCR (ActiveX is just COM, and registers by GUIDs under HKCR\Classes, or using regsvr) are all valid options here, too.

      But yes, it's pretty goddamn stupid that Outlook should execute Flash. It doesn't allow scripts in HTML email, but it allows something that is a superset of what JavaScript can do? Moronic.

      • by gweihir ( 88907 )

        Well, yes, and anybody with a clue has de-installed Flash long ago anyways, but Windows is the OS that is supposedly "easier" and aimed at non-experts. This means a lot of people will get hit by this.

    • by TheRealHocusLocus ( 2319802 ) on Saturday December 19, 2015 @07:48AM (#51149473)

      Lastly, Flash needs to die

      Just curious... why are people on a coding site declaring "Flash needs to die" instead of something like, Flash needs to be completely deconstructed and rewritten by the open source community using the most conservative style of programming, a system that forces a multi-person review of commits, hit with the best enumeration tools we have, so that arbitrary code execution is not possible? Which might be possible because processor speed has improved since it was first designed and the assembly level hacks that made it possible areno longer necessary? And when we are done, the worst thing that could ever happen is that someone might display inside a Flash window?

      Instead of busting into the kitchen, grabbing pans off the wall and showing the chef how steak should be done, we sit at the table banging our forks and knives, shouting, "Down with meat!"

      It's easy to make fun of Outlook, where with maliciously crafted embedded binary OLE blobs you can trigger exploits in many versions of Microsoft products. The faults lie in the products themselves not the Blob. But Flash self contained and lives inside a little rectangle. It is cross platform, amply documented and widely used today. Why must it die? So that generations of beloved Internet content can be 'destroyed' overnight? It almost smells like book-burning.

      • by Junta ( 36770 )

        processor speed has improved since it was first designed

        Note that even as it is today, I have observed such flash heavy sites that a web browser can bring a pretty modern system to its knees. If you are implying that even slower flash would be acceptable because systems are faster, that would be a bad call. The issue is that for the most part, the role flash served can now be served with HTML, Javascript, and CSS, which do have open implementations. Rather than re-implementing the flash runtime, making every effort to port web content away from flash would go

      • Lastly, Flash needs to die

        Just curious... why are people on a coding site declaring "Flash needs to die" instead of something like, Flash needs to be

        Not that I disagree with your assessment, but Slashdot is "News for Nerds", and has all manner of different categories.

        And you'll note that the GP her managed to blame everything on everything else, like the user not setting the right settings, and flash. That's why Microsoft Stuff is so good - everything is the user's fault for allowing it to do what it does.

      • Because flash is a binary executable. Executables run code. Running code is bad from a freaking mail client or browser security wise and unnecessary. Worse you can't edit it and need to use proprietary products to create them against spirit of the web.

        Flash took off to get around IE 6 and codec war incompatibility problems early last decade. It is 2015 now. More than time to move on

      • In broad terms, any argument Flash-haters can level at Flash can also be made against JavaScript (JS is just as likely to annoy you in as many ways as Flash). I remember when it was JS that was derided and Flash the way forward. Fashions in software platforms come and go. What we need is a decent, mature, fully-featured, free and open source scripting language for apps that run in web browsers (which JS isn't). I don't care what it is, whether it's ActionScript, Java, Python, or something else. However, tha

        • " any argument Flash-haters can level at Flash can also be made against JavaScript "

          Really. Javascript is a proprietary tool from Adobe? I did not know that!

          • You clearly don't understand English very well. I wrote, "In broad terms,..." I'm struggling to imagine how your point could be made more narrow.

        • by allo ( 1728082 )

          But flash is content and scripting.
          You can turn off js and read slashdot. But you cannot turn off flash and see a flash movie. Even when the movie itself would not need user interaction (scripting).

          • But flash is content and scripting.
            You can turn off js and read slashdot. But you cannot turn off flash and see a flash movie. Even when the movie itself would not need user interaction (scripting).

            You could try comparing like with like: If you turn of JS in your browser, you can't see an HTML5 animation. HTML5+CSS3+JS is content and scripting. In fact, most of the JS animation utility libraries were ported from Actionscript (Flash).

            • by allo ( 1728082 )

              Yeah, and that's the pro- and cons.

              Pro HTML5: You can see content without the rest
              Con HTML5: No way to save a full game / animation like with an .swf file.

      • Flash is a fully-functioning content system with a built-in programming language, written in a day when no thought was given to security, and it shows. It's a massive, massive attack surface that's been horribly exploited for over a decade, and it shows no sign of running out of flaws to exploit. It's not open source, so no one can proactively search for exploits or flaws, which means we must rely on Adobe's good graces to fix issues (which to their credit, they have so far).

        Flash is demonstrably dangerou

      • by Nemyst ( 1383049 )
        Largely because it's a big binary blob (even open source, it still would be) that at this point doesn't do a whole lot that Javascript + CSS3 + HTML5 can't do, and it can be argued that the things it can do that those standards cannot shouldn't be present in a web page anyway. Flash has been abused to provide the most annoying and obtrusive ads, the least standard and most awkward "web apps", a bunch of shitty Newgrounds games and so on. That's before you talk about the insecurity of a binary blob getting e
      • Bear in mind that there already have already been several open-source attempts at rewriting the Flash Player -- namely Gnash, Lightspark, and Mozilla's Shumway -- and all of them are still relatively immature. In short, the plan of attack that you suggest has already been tried.

  • by Anonymous Coward

    Providing access to people's computers and ensuring miserable but steady cleanup work for admins, relatives and acquaintances who "know computers" since time immemorial. Thank you, Microsoft and Adobe, for keeping the computer people fed over the holidays.

  • Already fixed (Score:4, Informative)

    by Anonymous Coward on Saturday December 19, 2015 @06:04AM (#51149279)

    Why doesn't the summary mention that this was fixed by an update released on patch tuesday dec 8?

    • That is only relevant up to a point.
      My home PC has no Flash, I only use Outlook for my work emails (vpn) and it is fully patched.
      The PC provided by the company has Flash - and I do not have the rights to uninstall it - and the latest set of updates have not propagated down to us yet. Microsoft Update is specifically disabled. Maybe the Flash version we have is new enough, maybe the company's mail scanner can keep this thing out. Maybe not.

      • by Junta ( 36770 )

        I agree (and my work system is woefully not up to date and I have no privilege to fix it, and tear my hair out over a number of known bugs that have been fixed, but my company has not seen fit to push updates for them). However the link would be helpful if some person who is in charge of managing deployment of updates is aware there is a fix to be had. So the story is valid to show (it's not like it's a non-story because update is available), but it should have indication of fix for those empowered to do

    • by jrumney ( 197329 )
      The editors were too busy chuckling over the irony of releasing a story about an Outlook exploit involving a Flash infection vector, with a link to the details in a PDF doc.
    • Hopefully not the same patch that broke about a dozen other things to the point where most people uninstalled it.
  • * It's yet another flash bug, Outlook is just the host instead of IE or whatever. If you still have Flash on your system you should just assume you are pwned already and post your bank account, credit card details and nude photos straight to 4chan to shorten the painful process
    * It is not even zero-day, like many Flash bugs are, because it's already patched/fixed (by MS on the Outlook side by the looks of it)
    * It only affects you if you have preview window on, _and_ the malicious email happens to be the fir

    • by climb_no_fear ( 572210 ) on Saturday December 19, 2015 @07:04AM (#51149399)

      * It's yet another flash bug,

      It is not just Flash. If you read the article more carefully, you would have seen this (from the article):

      We use Flash OLE object as an example since Flash (zero-day) exploits are easy to obtain by attackers, but please note that there are other OLE objects may be abused by attacker, as not only Flash but also a number of other OLE objects can be loaded in Outlook.

    • by penix1 ( 722987 )

      I am going to hit on a few of your points...

      * It's yet another flash bug, Outlook is just the host instead of IE or whatever. If you still have Flash on your system you should just assume you are pwned already and post your bank account, credit card details and nude photos straight to 4chan to shorten the painful process.

      The problem is two pronged. Yes, having flash installed is a huge risk but the other part of the prong that keeps flash alive is the multitude of sites out there that require it for whateve

      • by Anonymous Coward

        You forgot to add in "and you view email in HTML." I have Outlook (at work) set to only use plain text for both receiving and sending. Allowing HTML in email is the stupidest thing ever implemented. That is what truly needs to die!

        Amen. Though I thought everyone with 1/2 a clue new to turned that off 10 years, along with the preview crap.

      • Websites are notorious for phb wanting to maximize viewers and being conservative. A 180 from 1999. These same owners just a few years ago demanded IE 6 compatibility too. If Chrome and IE stopped including flash the problem will fix itself.

    • Great list of all the reasons it isn't really a problem, even though it is. You seem to have provided a pretty one sided list though. Are you sure you can't come up with any line items that don't sound like your work for Microsoft PR?
    • by dbIII ( 701233 )
      Or kills Outlook. This is just the latest of a long list so it's probably best for a new mail client instead of a house of cards stacked on the original piece of utter shit Outlook Express flaws. It's been going on for so long and is so sprawling that it's a safe bet that there is code in MS Outlook that no current MS employee has taken the time to understand.
  • Stating the obvious here, but if I uninstalled all versions/instances of Flash from my Win 7 x64 system I should be pretty safe from at least this one, or should I? Note at the bottom: Now the only flash player that I have right now is the pepper flash version installed by/with Chrome. Oh, and just in case, this is my workstation - hence running Windows... mandated by company. I have couple of VMs to work in Linux/FreeBSD etc. but the main business desktop needs to be Windows.
    • That would certainly protect you from Flash exploits. You would still be vulnerable to other OLE based attacks but those are admittedly much less likely.
  • Isn't it known to be insecure like since 2000?

  • Yet another example of why Flash should be uninstalled at the OS level. For example, on Windows this means removing the Flash ActiveX control. If you ever encounter a web page that needs Flash (they're becoming less and less common), just open it in Chrome, which you have configured to use Flash as click-to play.

  • My Outlook 2003 isn't affected, yay!

  • Apparently Outlook renders HTML-mail. That's unfortunately a common bug found in mail clients today. That's nearly as bad as some mail clients incorrectly encoding your mail as HTML.

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.