Microsoft Outlook Can Be Hijacked to Deliver Poisoned Word Files

Businesses with eyes focussed firmly on Wednesday’s budget may have overlooked Microsoft’s late Tuesday monthly bundle of patches: if that was the case, it’s time to start paying attention — 26 critical CVEs need patching,

Despite the comparatively heavyweight Patch Tuesday — featuring fixes by Microsoft for 115 unique vulnerabilities — no publicly disclosed or known exploited vulnerabilities were reported this month. (As proof of concepts from security researchers start to emerge, naturally, exploits won’t be far behind.)

The majority of the CVEs this month are in the Windows OS (79 CVEs) or the browsers (18 CVEs), with some unusual exceptions.

Microsoft Word Vulnerability

Among the patches was one for CVE-2020-0852: a remote code execution vulnerability that exists in Microsoft Word software when it fails to properly handle objects in memory. The vulnerability affects Word 2016 and 2019.

Any remote attacker would need to convince their target to open a specially crafted file, with the Outlook Preview Pane the attack vector for the vulnerability. (The patch corrects how Microsoft Word handles files in memory.)

This, arguably, may be more hassle than its worth when a nicely crafted phishing email will likely do exactly the same thing, but it is one to watch out and may ultimately prove easier to slip past end-point detection software.

A Wormable RCE is Unpatched?

In one of the week’s odder security moments, Microsoft appeared to pull at the last minute a patch for a vulnerability in version 3.1.1 of the Server Message Block (SMB); a service used to share resources on local networks and over the Internet.

Initially tracked as CVE-2020-0796 before a security advisory was pulled (two vendors published details, then also pulled them, suggesting Microsoft had made a last minute decision to push a patch back) Microsoft ultimately published security advisory ADV200005 and technical guidance after the accidental disclosure.

Microsoft has provided workarounds in its security advisory: including disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls to prevent attackers from exploiting the vulnerability.

A Lot of Windows OS Bugs

Todd Schell, Senior Product Manager – Security at Ivanti, emphasised that Microsoft has has resolved several information disclosure vulnerabilities in the Windows OS this month in components such as GDI, Windows Graphics Component, Win32k, Windows Modules Installer Service, Windows Network Driver Interface Specification, and Connected User Experiences and Telemetry Service.

“These vulnerabilities could allow attackers to read from the file system, uninitialised memory, or even memory contents in kernel space from a user mode process. A couple of these vulnerabilities could also allow an attacker to collect information that could allow them to predict addressing of memory.”

Internet Explorer

Jay Goodman Strategic Product Marketing at automated cyber hygiene specialist Automox, suggested that CVE-2020-0847 was another one to watch out for. This is an RCE vulnerability in Internet Explorer caused by improper handling of memory in VBScript: a scripting language used by Microsoft that allows system admins to run powerful scripts and tools for managing endpoints.

Microsoft has also released servicing stack updates for most of the Windows OS versions. The only exceptions this month are Windows 10 version 1703, Server 2008 and Windows 7\2008 R2. In one oddity of the patch cycle, Microsoft announced a vulnerability for Remote Desktop Connection Manager (CVE-2020-0765), but states it does not plan to release an update to fix the issue.

The product has been deprecated. Their guidance is to use caution if you continue to use Remote Desktop Connection Manager, but Microsoft recommends moving to supported Remote Desktop clients.