CYBER NEWS

CVE-2018-0950 não totalmente fixa em abril 2018 patch Tuesday

abril 2018 Patch Tuesday foi lançada. Contém 66 correções de segurança para vulnerabilidades. Uma das manchas mais intrigantes envolve uma falha mais velhos Microsoft Outlook que foi relatada pela primeira vez em 2016.

Contudo, de acordo com Will Dormann, the vulnerability analyst at CERT who disclosed it, the just-released patch is not complete and it needs further workarounds. The bug in question is CVE-2018-0950.

What Is CVE-2018-0950?

Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on a SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO). This may leak the user’s IP address, nome do domínio, nome do usuário, host name, and password hash. If the user’s password is not complex enough, then an attacker may be able to crack the password in a short amount of time.

The researcher believes that the biggest issue with this bug is that Outlook automatically renders the content of remote OLE objects (Object Linking and Embedding) embedded inside rich formatted emails without first prompting the user. This activity is associated with other Microsoft Office products like Word, PowerPoint and Excel, and has become a common attack vector for malicious actors.

The vulnerability analyst assessed that the bug could be exploited to steal user account passwords, or more specifically NTLM hashes. He carried out the successful exploit by sending an email to an Outlook account that had an OLE object embedded, making requests to a remote SMB server of malicious nature. By default the targeted Windows computer would try to authenticate on this remote and malevolent SMB server by sharing the user’s NTLM hash, the researcher discovered.

It is quite easy for an attacker to take an advantage of this attack vector – by simply collecting the hashes, then cracking them offline, and leveraging them to infiltrate the victim’s system. Other components of the internal network could also be affected.

What Is the Issue with Microsoft’s Patch?

Pelo visto, the company addressed the vulnerability only partially by patching the SMB attack vector. The researcher informed Microsoft about the OLE-associated issue stemming from CVE-2018-0950 in November 2016. 18 months later, Microsoft has finally issued a patch in April 2018 patch Tuesday, but as it turns out, the patch only fixes the issue half-way. The core of the problem remains unsolved.

Não obstante, a remendo for this vulnerability is still crucial and should be applied immediately.

Story relacionado: Microsoft admite desativar temporariamente partes de aplicativos antivírus de terceiros

As for the workarounds:

1. Block inbound and outbound SMB connections at your network border;
2. Block NTLM Single Sign-on (SSO) autenticação;
3. Use complex passwords.

More details are available in the advisory Publicados on CERT’s vulnerability notes database.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...