hackerman1
Member
"Eduard Kovacs
December 18 2015
Organizations that haven’t installed the latest security updates from Microsoft are exposed to attacks due to a serious vulnerability in the Outlook email client,
which was found by a researcher.
The Outlook bug (CVE-2015-6172) is one of the several security holes patched by Microsoft in December, with an update for the Office software suite.
According to Microsoft, an attacker can exploit this flaw using a specially crafted email to run arbitrary code with the privileges of the logged-in user,
and take complete control of the affected system.
Haifei Li, the security researcher who reported the problem to Microsoft, has now disclosed the details of the vulnerability, which he calls an “enterprise killer.”
Exploitation of the flaw, dubbed BadWinmail by the expert, involves Object Linking and Embedding (OLE),
a Microsoft technology that allows embedding and linking to documents and other objects.
Microsoft has designed Outlook to prevent attacks that involve potentially malicious files attached to emails,
and even office documents are opened and previewed in a strong sandbox called Protected View.
However, Li found a way to attach malicious code to an email and get it to execute when the email is opened or previewed in Outlook.
"
Full story: "BadWinmail" Outlook Flaw Puts Enterprises at Risk | SecurityWeek.Com
More info also here: Outlook ?letterbomb? exploit could auto-open attacks in e-mail | Ars Technica
Note: The quoted text lighlty edited by me.
December 18 2015
Organizations that haven’t installed the latest security updates from Microsoft are exposed to attacks due to a serious vulnerability in the Outlook email client,
which was found by a researcher.
The Outlook bug (CVE-2015-6172) is one of the several security holes patched by Microsoft in December, with an update for the Office software suite.
According to Microsoft, an attacker can exploit this flaw using a specially crafted email to run arbitrary code with the privileges of the logged-in user,
and take complete control of the affected system.
Haifei Li, the security researcher who reported the problem to Microsoft, has now disclosed the details of the vulnerability, which he calls an “enterprise killer.”
Exploitation of the flaw, dubbed BadWinmail by the expert, involves Object Linking and Embedding (OLE),
a Microsoft technology that allows embedding and linking to documents and other objects.
Microsoft has designed Outlook to prevent attacks that involve potentially malicious files attached to emails,
and even office documents are opened and previewed in a strong sandbox called Protected View.
However, Li found a way to attach malicious code to an email and get it to execute when the email is opened or previewed in Outlook.
"
Full story: "BadWinmail" Outlook Flaw Puts Enterprises at Risk | SecurityWeek.Com
More info also here: Outlook ?letterbomb? exploit could auto-open attacks in e-mail | Ars Technica
Note: The quoted text lighlty edited by me.