Opening an email using Outlook could let someone steal your Windows Login Password

You receive an email from what seems like a legitimate source. By openiing that email using Microsoft Outlook, you could be allowing a Hacker to gain your Windows Login Password.

If the received email contains say a UNC web link starting with \\, clicking on the link will start a SMB connection and the username and password hash data can be transferred without the users knowledge.

This is because Microsoft Outlook allows documents to contain embedded parts within a document. Microsoft allows the use of Rich Text Format (RTF) and Object Linking and Embedding (OLE). That can be exploited to get Outlook to “automatically” open an SMB connection to a remote SMB Server.

Will Dormann who is a Software Vulnerability Analyst with Carnegie Mellon Software Engineering Institute’s CERT Coordination Center (CERT/CC), had found the above vulnerability, Will Doorman reported the vulnerability to Microsoft in November of 2016.

Last Tuesday (Apr 10 2018) Microsoft released a fix for the above bug. Click on this link to visit Microsoft’s site with details of the bug fix: CVE-2018-0950 | Microsoft Office Information Disclosure Vulnerability – Security Vulnerability –
Published: 04/10/2018
MITRE CVE-2018-0950

The above Microsoft fix does address the “Automatic” opening of an SMB connection to a remote SMB Server. But, the user viewing said document can still click on a link embedded (via OLE) within the document and that will then initiate an SMB connection.

To check if your Windows systems has the update installed goto Settings → Update & Security → Windows Update → Check for updates. The updates can be set to install automatically or you can manual get them installed., or you can install the updates.

For info on keeping your Microsoft Windows updated click on this link to visit the Windows Update: FAQ

The Microsoft Apr 10 Security update does not address the end user clicking on a link. To elminate an SMB session being established after an OLE Link has been clicked you need to block certain ports for incoming and outgoing SMB sessions. Block TCP/IP port 445 and port 137 and port 139. In addition, you need to block UDP port 137 and UDP port 139. That way no inbound or outbound SMB connections will be started.

You should also add a Windows Registry DWORD32 key named “EnterpriseAccountSSO” and then set that key to a value of “0”. How to do that is detailed below.

Click on the following link to visit the Microsoft Security Advisory page titled: ADV170014 | Optional Windows NTLM SSO authentication changes – Security Advisory – Published: 10/10/2017

The above link will discuss adding a registry entry which will block disable the NT Lan Manager Single Sign-on (SSO) authentication. It’s a small simple addition:

Customers can add a DWORD32 key named “EnterpriseAccountSSO” to the Windows Registry location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 with the following options:

  • 2 – Always allow SSO. (This is the default state.)
  • 1 – Deny SSO if the resource is public. Allow if the resource is private or enterprise. Allow SSO if the resource is unspecified.
  • 0 – Deny SSO if the resource is public. Allow if the resource is private or enterprise. Deny SSO if the resource is unspecified.

You should set it to “0”, which would DENY SSO authentication requests.

References for more details:

 

Carnegie Mellon University – Software Engineering Institute – CERT/CC Blog post by Wll Doorman titled: Automatically Stealing Password Hashes with Microsoft Outlook and OLE Posted on by Will Dormann in

 

CVE page at Mitre.org: CVE-2018-0950

 

Microsoft’s page titled: Description of the security update for Word 2016: April 10, 2018