View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Microsoft Outlook’s Preview Pane Can Be Hijacked to Deliver Poisoned Word Files

115 unique vulnerabilities need patching...

By CBR Staff Writer

Businesses with eyes focussed firmly on Wednesday’s budget may have overlooked Microsoft’s late Tuesday monthly bundle of patches: if that was the case, it’s time to start paying attention — 26 critical CVEs need patching,

Despite the comparatively heavyweight Patch Tuesday — featuring fixes by Microsoft for 115 unique vulnerabilities — no publicly disclosed or known exploited vulnerabilities were reported this month. (As proof of concepts from security researchers start to emerge, naturally, exploits won’t be far behind.)

The majority of the CVEs this month are in the Windows OS (79 CVEs) or the browsers (18 CVEs), with some unusual exceptions. 

Microsoft Word Vulnerability 

Among the patches was one for CVE-2020-0852: a remote code execution vulnerability that exists in Microsoft Word software when it fails to properly handle objects in memory. The vulnerability affects Word 2016 and 2019.

Any remote attacker would need to convince their target to open a specially crafted file, with the Outlook Preview Pane the attack vector for the vulnerability. (The patch corrects how Microsoft Word handles files in memory.)

This, arguably, may be more hassle than its worth when a nicely crafted phishing email will likely do exactly the same thing, but it is one to watch out and may ultimately prove easier to slip past end-point detection software.

A Wormable RCE is Unpatched?

In one of the week’s odder security moments, Microsoft appeared to pull at the last minute a patch for a vulnerability in version 3.1.1 of the Server Message Block (SMB); a service used to share resources on local networks and over the Internet.

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

Initially tracked as CVE-2020-0796 before a security advisory was pulled (two vendors published details, then also pulled them, suggesting Microsoft had made a last minute decision to push a patch back) Microsoft ultimately published security advisory ADV200005  and technical guidance after the accidental disclosure.

Microsoft has provided workarounds in its security advisory: including disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls to prevent attackers from exploiting the vulnerability.

A Lot of Windows OS Bugs 

Todd Schell, Senior Product Manager – Security at Ivanti, emphasised that Microsoft has has resolved several information disclosure vulnerabilities in the Windows OS this month in components such as GDI, Windows Graphics Component, Win32k, Windows Modules Installer Service, Windows Network Driver Interface Specification, and Connected User Experiences and Telemetry Service.

“These vulnerabilities could allow attackers to read from the file system, uninitialised memory, or even memory contents in kernel space from a user mode process. A couple of these vulnerabilities could also allow an attacker to collect information that could allow them to predict addressing of memory.”

Internet Explorer

Jay Goodman Strategic Product Marketing at automated cyber hygiene specialist Automox, suggested that CVE-2020-0847 was another one to watch out for. This is an RCE vulnerability in Internet Explorer caused by improper handling of memory in VBScript: a scripting language used by Microsoft that allows system admins to run powerful scripts and tools for managing endpoints.

Microsoft has also released servicing stack updates for most of the Windows OS versions. The only exceptions this month are Windows 10 version 1703, Server 2008 and Windows 7\2008 R2. In one oddity of the patch cycle, Microsoft announced a vulnerability for Remote Desktop Connection Manager (CVE-2020-0765), but states it does not plan to release an update to fix the issue.

The product has been deprecated. Their guidance is to use caution if you continue to use Remote Desktop Connection Manager, but Microsoft recommends moving to supported Remote Desktop clients.

See also: High Voltage Attack: EU’s Power Grid Organisation Hit by Hackers

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.