New research highlights difficulty of preventing Outlook security exploits

/in


Haifei Li, a principal vulnerability researcher at Check Point Software Technologies Ltd., examines the universe of Microsoft Outlook exploits in a new blog post this week that has lessons for users and security managers alike.

Li divides this collection into three parts: embedded malicious hyperlinks, malware-laced attachments and more specialized attack vectors. Li has investigated many of these cases personally. Li used the most recent versions of a Windows Outlook client and Exchange servers.

Outlook exploits — given its widespread use — continue to grab headlines, even some of the older ones that haven’t been diligently patched or where new variations come into play. This is the case for a recently uncovered case this past week in Bleeping Computer where Russian state-sponsored attackers leveraged a flaw patched in March.

The first category – malicious hyperlinks – forms the foundation of all phishing emails, not to mention other vectors such as SMS text messages. “For this attack vector, the attacker basically uses emails as a bridge to perform web-based attacks, whether they are social-engineering-based phishing attacks, browser exploits, or even highly technical browser zero-day exploits,” Li wrote. That means a user simply has to click on the link to launch a web browser, which is where the exploit actually begins.

The second category of attachments is also very familiar to users, and the success of the exploit depends on whether a user clicks once or more times on the attached file. Outlook does mark some files as unsafe or risky file types and Microsoft offers several suggestions on how to process them more securely.

Li describes several scenarios, depending on what file type is attached, its origins and various security features that Microsoft has to prevent malware infections. Li has a very thorough collection of use cases, differentiating among previewing the file and just clicking on it to run the associated application directly. This is the meat of Li’s post and can be useful for security managers to review and understand the various modalities.

The third category is where things get interesting. These types of attacks can happen when a…

Source…