Dangerous New Outlook Exploit Triggers Automatically

Microsoft have acknowledged a critical new zero-day vulnerability with Outlook, that does not require any user interaction with an email to be triggered.

Reported by the Ukrainian Computer Emergency Response Team (CERT) to Microsoft and graded 9.8/10 on the severity scale according the NIST, the exploit is believed to have already been used by a “Russia-based threat actor” in attacks against European targets across government, transport, energy and military sectors.

The exploit (CVE-2023-23397) abuses the way Microsoft Outlook attempts to follow links in emails to retrieve remote content, even before they’re opened or viewed in the preview pane – allowing a remote attacker’s server to request authentication via an old technology known as NTLM, and automatically receive poorly encrypted username and password details from Outlook. NTLM was officially retired by Microsoft after Exchange 2003, but the technology remains available in current versions.

This is dangerous because with a username, password and corresponding email address, hackers have effectively completed a credential theft without any interaction from the end user. Many users use their email account as a single-sign on for other applications, putting numerous other services at risk.

CVE-2023-23397 is not yet fully documented however Microsoft believe the vulnerability occurs “when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat-actor controlled server. No interaction is required.” Once a connection is made, the server sends the user a new technology LAN manager (NTLM) negotiation message which is relayed for authentication – none of which requires the user to even view the email itself.

The exploit affects only the Microsoft Windows version of the Outlook Desktop client. Outlook for Mac, the Outlook Web & Mobile Apps (as well as Outlook.com) are not affected – since these do not support NTLM authentication. Estimates vary but Outlook is said to be used by over 400 million users worldwide, in its various forms.

System administrators are advised to urgently patch with the latest Outlook updates from Microsoft within 24 hours.

Where this is not possible, system administrators are advised to add users to the Protected Users Security Group (blocking NTLM), or Block TCP 445/SMB outbound from network firewalls or via VPN settings, cutting off any NTLM authentication messages at the perimeter of your network. In both cases, Microsoft warn this may affect other services from working correctly.

 

For Cyber Security expertise and support, please contact Lineal’s Cyber Security Team today.


Uh Oh, Time to Patch Firefox Again

Mozilla have released an urgent patch to version 74.0 of Firefox, notifying browser users around the world that it’s time to patch Firefox again.

The timing of the new patch, which also affects the ‘Extended Support Release’ (version 68.6) suggests that the latest update fixes a vulnerability which (at worst) may have been live in the browser since July 2019.

Mozilla’s official announcement from 3rd April categorises the impact as ‘Critical’, and states that ‘we are are of targeted attacks in the wild abusing this flaw’.

The precise details of the security flaw have not yet been published, although we know that the issue refers to a ‘use-after-free’ function by which the browser frees up previously occupied memory back to the device – with online cybersecurity blogs speculating that any new contents of the relinquished memory may still have some level of access to the browser.

Community-led Mozilla, whose popular Firefox browser is still the World’s second-most popular desktop browser, suffered other critical security flaws as recently as January – when the US Department of Homeland security took the unusual step of instructing users to urgently update their browsers following the discovery of a vulnerability which granted potential access to the operating system.

Not that Mozzilla are unique in such issues: Google also faced embarrassment in recent months after rolling out an experimental change to Chrome which left millions of users unable to load new tabs.

Patch your browser regularly: Firefox users can update to version 74.0.1 via:

  • To upgrade on PC, open Firefox and click ‘About’ and select ‘Restart and Update Firefox.’
  • To upgrade on Mac, open Firefox and click ‘Options’, ‘Firefox Updates or Options’, ‘Advanced’, ‘Update to update Firefox.’

Zero-Day Patch Released for Adobe Reader DC

Adobe have released an urgent update for Adobe Reader DC, patching newly discovered security vulnerabilities.

The highly popular PDF app, often pre-installed on Windows PCs, has been shown to contain a loophole that allows an attacker to remotely run Javascript code within an opened PDF to cause memory corruption.

Currently rated ‘Critical’ by Adobe’s Severity Rating System, the bug is believed to have originated from entirely legitimate functionality: Adobe Reader allows PDFs to contain embedded JavaScript to support interactions with the web.

Adobe have responded quickly – publishing the fix to Adobe Security Bulletin alongside patching for 42 other vulnerabilities as of Wednesday 12th February, including one which allowed PDF documents to access hashed passwords.

Adobe Reader is officially 25 years old this year, and although official figures are hard to source, is popularly believed to dominate more than 75% of the PDF software market.

Users can either auto-update their installation or prompt this manually by clicking ‘Help’ > ‘Check for Updates’ within the software itself.

 

For software and security expertise, contact Lineal today.


Apple fixes MacOS Root Password security blunder

Apple have issued a fix for yesterday’s severe security alert, after it emerged the tech giant’s High Sierra operating system would allow access to many users’ MacOS Root User without entering a password.

The story caused alarm around the world, as Mac users discovered full administrator control of their device was available to anyone within reach of the keyboard.

Discovered by a Turkish developer who tweeted it to Apple Support, Lemi Ergin, the widely publicised fault is believed to affect all Apple MacOS devices (such as the iMac and MacBook ranges) running version 10.13.1 or newer.

Mr Ergin has since published an article on Medium defending his decision to flag the vulnerability publicly, arguing that despite the security flaw being public knowledge on the Apple Developer Forum since 13th November, Apple had failed for resolve the issue.

Yesterday Lineal published guidance to all our Mac clients, advising caution over the physical security of Apple hardware, and explaining the need for users to set a new root password to temporarily secure their Mac while Apple worked on a security fix.

Security update 2017-001 is now available via the App Store, and Apple have even taken the almost unprecedented step of forcing 10.13.1 devices to update automatically.

MacOS root

The failure to set a random default MacOS root password (a fundamental technical security feature) once again calls into question the recent competence of Apple’s historically excellent quality control and product testing, and may slow the adoption of the firm’s latest flagship operating system. The widespread media publicity surrounding the story is also likely to undermine Apple’s long-held reputation for security on Mac devices.

Apple issued an apology, stating ‘We greatly regret this error and apologise to all Mac users.”

 

For Apple assistance and support, contact Lineal’s IT team today.


Technology firms rush to fix WPA2 KRACK

Technology firms are urgently issuing fixes for the WPA2 KRACK (Key Reinstallation Attack) thought to compromise the WPA2 encryption used in most WiFi routers and other wirelessly enabled devices.

The exploit, discovered and published by Mathy Vanhoef, a Belgian security expert for Imec-Distrinet, Ku Leuven, has caused serious alarm amongst cybersecurity professionals due to the widespread use of WPA2 across millions of items of networked hardware around the World.

Vanhoef’s website, detailing how the the WPA2 KRACK works, demonstrates on video how an unfortunate Android smartphone can be tricked into re-installing an all-zero encryption key, which makes de-crypting data transmitted from the device possible. 

Security guidance remains to continue using WPA2 (rather than reverting to an older encryption standard) and to install the latest WPA2 KRACK security updates from manufacturers as soon as they are available.

A number of key technology vendors were notified in August, giving them some time to prepare. Microsoft are reported to have adjusted “how Windows verifies windows group key handshakes” to fix the issue. Apple and Android are yet to specify exactly when patches will be available, although both are understood to be working on a secure fix to be made available in coming weeks. The more responsive hardware developers, including Cisco and Ubiquiti, yesterday began issuing guidance and new firmware for their wireless equipment.

The Wi-Fi Alliance, the international organisation dedicated to developing Wi-Fi technology, have essentially argued that there is no need to panic. There is no evidence of the extremely serious hack being deployed outside test conditions (yet) – although it’s probably only a matter of time before someone attempts to do so. Because Wi-Fi relies on physical range, it’s likely this could target public Wi-Fi and other easily accessible networks. For this reason, users are (as always) reminded not to use public networks for sensitive tasks, such as online banking.

It’s clear from the increased publicity surrounding the discovery that major vendors of network equipment will be under pressure to issue the required WPA2 KRACK security patches.

However, the underlying vulnerability also threatens a wide range of wirelessly connected internet-of-things (IOT) devices – including everything from CCTV to smart-fridges – such that it’s unclear just how widespread this latest security flaw will actually prove.

For IT support and cybersecurity expertise: get in touch with Lineal today.