“BadWinmail” Outlook Flaw Puts Enterprises at Risk

Organizations that haven’t installed the latest security updates from Microsoft are exposed to attacks due to a serious vulnerability found by a researcher in the Outlook email client.

The Outlook bug (CVE-2015-6172) is one of the several security holes patched by Microsoft in December with an update for the Office software suite. According to Microsoft, an attacker can exploit this flaw using a specially crafted email to run arbitrary code with the privileges of the logged-in user and take complete control of the affected system.

Haifei Li, the security researcher who reported the problem to Microsoft, has now disclosed the details of the vulnerability, which he calls an “enterprise killer.”

Exploitation of the flaw, dubbed by the expert BadWinmail, involves Object Linking and Embedding (OLE), a Microsoft technology that allows embedding and linking to documents and other objects.

Microsoft has designed Outlook to prevent attacks that involve potentially malicious files attached to emails, and even office documents are opened and previewed in a strong sandbox called Protected View. However, Li found a way to attach malicious code to an email and get it to execute when the email is opened or previewed in Outlook.

According to the expert, a malicious actor can leverage the Transport Neutral Encapsulation Format (TNEF), a Microsoft email attachment format used by Outlook and Exchange Server, to conduct an attack. When TNEF is used, the attached file is usually named “winmail.dat,” which inspired Li to name the vulnerability BadWinmail.

TNEF can be configured so that the user’s attachment, which is included in winmail.dat, is rendered as an OLE object. This allows an attacker to create a malicious winmail.dat file containing an OLE object that is automatically loaded when the user reads the email. Furthermore, if the malicious email is the newest in the victim’s inbox, the payload is automatically executed when Outlook is launched.

The researcher says an attacker can attach various types of exploits and OLE objects, but he demonstrated his findings using a Flash OLE object and a Flash Player vulnerability. Li has published a video to show how the attack works.

In addition to using the TNEF format, Li determined that a malicious OLE object can also be delivered via a .msg file, which is considered safe by Outlook.

In these attacks, the exploit is executed in the context of the outlook.exe process, giving the attacker the same privileges as the victim.

“Think about it, an attacker may just need a Flash zero – day exploit (and the email address, of course) to take control of a CEO’s computer for a business company – most enterprise users use Outlook every day, then he/she can read all the confidential emails and may do many more. This is absolutely an ideal technology for targeted attacks, especially in an APT era,” the researcher wrote in his paper.

“Even, an attacker may launch a ’worm’ based attack by abusing this attack vector – that doesn’t usually happen in Windows ecosystem since Vista’s release – when compromising one computer via email, the worm may gather all the contacts and then send the same exploit via email to all the contacts to spread itself,” Li explained.

At the time when it released the patch, Microsoft noted that it was not aware of any attacks attempting to exploit the vulnerability.