Microsoft has finally patched an important Outlook bug it’s known about for over a year, capable of leaking password hashes when users preview a Rich Text Format (RTF) email with remotely hosted OLE objects.
The vulnerability lies in how Outlook handles RTF emails with Object Linking and Embedding (OLE) objects that are hosted on a remote SMB Server.
Outlook itself doesn’t automatically load web-hosted images in an email as these images could leak IP addresses and metadata such as when the email was viewed. The same program however does not follow the same precaution with an OLE object loaded from a remote SMB server.
CERT/CC Vulnerability analyst Will Dormann found in 2016 the OLE-SMB object attack could leak the client’s IP address, domain, user name, hostname, and SMB session key in the form of an NTLM over SMB password hash.
You are still at risk
Even with the patch of last Tuesday, Dormann stated that an attacker could still compromise a client’s session.
According to ZDnet: “Instead of loading a remote image, the attacker could send the target a Universal Naming Convention (UNC) link beginning with ” to direct the user to a malicious SMB server, which will still automatically begin an SMB session that leaks the same data. But the victim would need to click the link rather than merely preview the email.”
What should you do?
1. Microsoft patch should be installed (CVE-2018-0950).
2. Block TCP and UDP ports specific to SMB sessions on your external Firewall.
3. Block NTLM SSO to external resources.