Earlier this month, FRSecure became aware of a new attack vector that all Microsoft Office users should know about and take action to protect against. Due to the way Microsoft Outlook handles (receives and renders) email, it is possible for an attacker to take control of a user’s system, without any action on the part of the user.
The attacker only needs to know your email address in order to successfully exploit this vulnerability.
The exploit is only dependent upon the victim to read or preview the malicious email.
It is assumed that this exploit is in the wild, and a failure to protect yourself will significantly increase your chances of being a victim.
Microsoft refers to the vulnerability as the “Microsoft Office RCE Vulnerability”.
FAQs – Quick Facts
What is it?
The name given by the researcher who discovered the vulnerability and exploit is BadWinmail or Enterprise Killer. The vulnerability lies in the manner in which Microsoft Outlook handles OLE (Object Linking and Embedding) objects. Due to the vulnerability, an attacker can send a specially-crafted email to a victim and compromise the system without any specific action from the victim other than reading or previewing the email. The exploit would allow the attacker to take control of a system using the same rights and privileges as the victim user.
The manner in which the vulnerability can be exploited has been demonstrated publicly and exploit code is publicly available. These facts make it increasingly important that users protect themselves immediately.
The publicly-disclosed exploit used a Flash OLE object sent to an Outlook victim; however, only disabling Flash is not likely to provide adequate protection.
Why should I care?
There are three main points that caused us to issue this advisory and why we think you should care:
- A successful attack only requires reading or previewing an email. This attack is not dependent upon opening an attachment.
- The exploit has been published and is readily available for any unskilled (or skilled) attacker to use.
- The vulnerability and exploit allow for full system access (using the victim’s privileges).
Failure to protect yourself could cause significant consequences.
How do I protect myself?
On December 8, 2015 Microsoft released “Security Bulletin MS15-131 – Critical” titled “Security Update for Microsoft Office to Address Remote Code Execution (3116111)”. One of the patches provided in the bulletin addresses (and fixes) the vulnerability associated with BadWinmail or “Enterprise Killer”.
The bulletin is here: https://technet.microsoft.com/en-us/library/security/ms15-131.aspx
Download and install the update associated with Microsoft Knowledgebase article KB3114358 here: https://support.microsoft.com/en-us/kb/3114358
Alternatively, you can (and should) install all updates on your system using Microsoft Update.
System administrators should use their patch deployment system of choice to ensure that all systems are updated.
Where can I find more details?
More details from Microsoft are available here:
- Microsoft Security Bulletin MS15-131 – Critical
- Microsoft Knowledge Base article 3116111 “MS15-131: Security update for Microsoft Office to address remote code execution: December 8, 2015”; https://support.microsoft.com/en-us/kb/3116111
- Microsoft Security Bulletin Summary for December 2015; https://docs.microsoft.com/en-us/security-updates/SecurityBulletinSummaries/2015/ms15-dec?redirectedfrom=MSDN
Research paper detailing the vulnerability and exposure titled “The “Enterprise Killer” Attack Vector in Microsoft Outlook” is available on Google’s Zero Day Research site.
Youtube demonstration of the exploitation is available here; https://youtu.be/ngWVbcLDPm8
Common Vulnerabilities and Exposures Database Listing is available here: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6172
Who is FRSecure?
FRSecure LLC is a full-service information security management company. As an information security firm, FRSecure protects sensitive, confidential business information from unauthorized access, disclosure, distribution and destruction. We assess existing information security systems and develop, implement and manage plans tailored to each client’s specific security needs and overall business objectives. These plans spare clients from the irreparable financial and reputational costs that invariably accompany the breach of sensitive business and personal information.
FRSecure works with businesses of all sizes, in all industries. We understand that our clients are in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve their bottom line.
For more information about FRSecure, visit us online at www.frsecure.com