Microsoft Office Vulnerability - System login details at risk(CVE-2018-0950)

Microsoft Office Vulnerability - System login details at risk(CVE-2018-0950)

4oo million active users of Microsoft Outlook may be in danger of getting hacked, going by the discovery of a CERT researcher, Will Dormann.

What is at stake?
All sensitive information including Windows login details

Who is in danger?
All Windows users using Microsoft Outlook for emails

How does the hack work?
A remote attacker can email an OLE content(embedded and linked object) in the form of a Rich Text File(RTF). This RTF contains a remotely hosted image file(OLE)served from an SMB server controlled by the hacker.

Once the target victim previews the email using Microsoft Explorer, the OLE content can initiate an authentication with attacker's controlled remote server over SMB protocol using single sign-on (SSO), granting access to the username and NTLMv2 hashed version of the password. The vulnerability exists in the way the OLE content is rendered by Microsoft Outlook. This allows the remote attacker to gain access to all sensitive information of the user including:
user's username, password hash, domain name, IP address, hostname.

Though the vulnerability was discovered in 2016, Microsoft fixed this in its April 2018 Patch Tuesday release.

What improvements and fixes were made by Microsoft regarding this vulnerability?

  • When you view text in a reply or forward email that uses an automatic signature on an iOS device, the font color of the reply text is incorrect.
  • The end position of a bookmark is synced incorrectly during a co-authoring operation in Word 2016.
  • When you set the numeral shapes for Arabic text to Hindi numbers and then save a Word document that has Arabic text as a PDF file, the numbers in the Word document are incorrectly displayed as Arabic in the PDF file.
  • When you edit documents that are stored in an attachment field in a Microsoft Access database and then save the documents, you are unexpectedly prompted to "Save as."
  • If a Word document that contains OLE or OCX controls is embedded as an OLE object in another application, the controls appear in the wrong place when you scroll the document.
  • Improves performance for bookmark deletion by using a programmatic method, such as deleting bookmarks through macros, VBA, and C#.
  • If the Windows system language is set to a complex script language, such as Thai, when you print a Word document that contains bullets, the bullets are printed incorrectly.
  • When you save a document in Word 2016 after you install KB 4011730, Word crashes.
What MS Outlook users can do to remain safe:
1. This vulnerability is addressed in the Microsoft update for CVE-2018-0950. This update prevents Outlook from automatically initiating SMB connections when an RTF email is previewed. ManageEngine's Patch Management now supports the latest patch for this CVE. 
2. Block inbound and outbound SMB connections at your network border by blocking ports 445/tcp, 137/tcp, 139/tcp, as well as 137/udp and 139/udp.
3. Block NTLM Single Sign-on (SSO) authentication
4. Use complex passwords so hash passwords can't be traced even if hacked into.
5. Don't click on suspicious links provided in emails especially the ones that start with '\\'


        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                        Related Products