Users are vulnerable just by reading or previewing an email

Dec 17, 2015 22:38 GMT  ·  By

Just by looking at an email message in Outlook, attackers can now take control over your PC. The good news is that Microsoft has patched the issue, but unless you updated Outlook after December 8, you're still vulnerable to this issue.

Security researcher Haifei Li discovered this peculiar Outlook bug, which he named BadWinmail. According to a technical report he put together after the vulnerability's discovery, the attack is extremely easy to carry out and does not require any complex interaction from the end user.

The only condition is that the user views or previews the email in which the attacker has embedded a malicious Flash file.

Flash strikes again!

At the vulnerability's root is Windows OLE, or Object Linking and Embedding. This technology allows various types of data objects to be embedded inside Office documents.

Outlook emails are considered Office documents, and Flash objects are supported via OLE. Unfortunately, Flash is also one of the most maligned software packages around, and comes with numerous well-documented security issues that allow a full compromise of affected devices.

When a user opens an Outlook email or previews the email in one of the Outlook panels, the OLE mechanism will automatically read the embedded Flash object and try to execute it, to provide a preview.

Since most Flash exploits only need to be executed to work, and because there's a flaw in the Outlook security sandboxing system, an attacker can easily embed malicious Flash objects inside emails and have other malicious code executed via older (Flash) vulnerabilities.

BadWinmail + APT = ♥

The indirect effect of a BadWinmail attack is that it will allow attackers to install more damaging malware like spyware or backdoors. "It’s also a wormable issue rarely seen on Windows platform nowadays," said Mr. Li.

This type of damage and reach is very appealing to APT groups or cyber-espionage agencies that generally focus on smaller, individual targets.

In one specific scenario, BadWinmail attacks can be executed when the Outlook client is opened. These are the cases when the malicious email carrying the BadWinmail attack is also the latest received email. Most Outlook clients, when opened, are configured to show a preview of the last received email.

Microsoft fixed the BadWinmail-related issues on December 9 via the Microsoft Security Bulletin MS15-131 (CVE-2015-6172).

Below is a video demonstration of the attack.