back to article Pen-tester gets past Microsoft VB macro barriers

A bunch of white-hat researchers have turned up a nasty new vector for attacking Microsoft Outlook: a forms creation feature that bypasses macro rules so attackers can get to the victim's shell. Sensepost says its interest in looking for an attack angle arose because Microsoft blocked older weak spots in a patch for Outlook …

  1. Black Betty

    Perfect bloatware example.

    Two chunks of code that perform the same function in one application.

    1. Pascal Monett Silver badge

      Perfect Microsoft bloatware

      And one of them allows you to bypass security restrictions

  2. Christopher Reeve's Horse
    Holmes

    Magic!

    Most of my VBA code can also be generalised as:

    Start

    >>MAGIC<<

    End

    You've found my secret!!

  3. Peter2 Silver badge

    Actual impact & securing a network against this...

    So, for those of us who actually get paid to manage networks and are looking carefully at what sort of a threat this is...

    My understanding is that you can't create a form in your copy of outlook and then email it to the target and have it work. The attacker first has to have full access to my users copy of Outlook, write the attack code and then save it as a draft, and then get the user to open that draft. In my environment this would require that the local machine already be compromised, so the threat to me from this is effectively zero.

    But in other environments you could potentially access office 365 instead of the local machine and do the dirty work there, and the next time the user logs in then they get compromised. If I'm reading that right then it's a threat to 365 users using hosted exchange hence the bit about 2FA on logins.

    Or am I missing something. Comments from other professionals welcome?

    1. The First Dave

      Re: Actual impact & securing a network against this...

      Personally, I think that anything important needs "Belt and Braces", so if MS say "Its ok unless X" I get worried, won't be happy unless there are at least two reasons why this isn't a real threat.

    2. Anonymous Coward
      Anonymous Coward

      Re: Actual impact & securing a network against this...

      Basically, this attack add forceps to the Microsoft goatse (I'll wait while you recover from that image).

      It's not hard to breach Microsoft security, this just allows you to wedge a digital crowbar in the many cracks and widen the opening quickly..

    3. 1Rafayal

      Re: Actual impact & securing a network against this...

      I dont think this affects Office 365, at least the article didnt mention it anyway...

  4. Mage Silver badge
    Linux

    Solution is controversial but saves money

    Migrate away from Exchange to open source on a Linux server. If you aren't using Exchange, why use Outlook at all?

    Migrate away from Outlook. It's always been insecure with daft default settings. Use an Open source email client that supports POP and IMAP etc. Disable remote content by default. Learn about incoming attachments, phishing etc.

    1. Captain Scarlet
      Alert

      Re: Solution is controversial but saves money

      I take it you have never had to deal with users who have only ever used Outlook.

      Change from Outlook and very likely the directors will want to skin you alive.

      Back when we ran Lotus Domino/Notes it took very little for management to go "I want Outlook" and out the door it went (Me with it for several months, also not helped I might add by IBM demanding like for like licensing costs when only email was used and they had the cheek to audit us!).

      Personally I am fine with any webmail client, its just email at the end of the day.

      1. Peter2 Silver badge

        Re: Solution is controversial but saves money

        The problem is that most geeks basically work solo so don't see why people want to keep outlook in preference to their favoured email clients.

        I have for about a decade said that I feel that when <insert email client> gets to equivalent functionality of outlook/exchange 1997 then people would happily swap. It's still not happened yet.

        Basically, imagine a manager and a PA. When the manager can give read only access to non private flagged items in his mailbox to his PA, and full access to add edit or delete his calendar in $NotOutlook without requiring the slightest bit of technical knowledge then Outlook can go.

        Most companies only really buy office for outlook so when outlook goes then the microsoft office package can be replaced with something else.

        No outlook means you don't need to renew the exchange server after a few years.

        No exchange server means that you don't need to run a windows server for exchange.

        No exchange or windows servers mean that you don't really *need* to run windows desktops. (unless you have a industry specific program that everybody needs that's only available for windows which is increasingly less of a problem, even in the medical sector important things like SystmOne are available through webbrowser)

        And the following year is the year of either the Linux (or react OS) desktop.

        But Outlook still rules the business world, because it does what business users need it to do and it's worth the financial cost. When a system does the same and the users (not techs) agree then imo the above will happen, but not before.

        1. Kiwi

          Re: Solution is controversial but saves money

          Basically, imagine a manager and a PA. When the manager can give read only access to non private flagged items in his mailbox to his PA, and full access to add edit or delete his calendar in $NotOutlook without requiring the slightest bit of technical knowledge then Outlook can go.

          There are email clients that don't do this? Evolution has been able to do it for some time, and my older tablet and my technophobe mate have the ability to read and alter my calendar, hosted on owncloud (I currently use gmail for mail but that'll change again in the coming months once I have some money to through at a machine so I can resurrect my own email server). Took him all of a couple of minutes to understand "click on calendar, click on mine, right click on day to create an event OR right click on event to modify it". He even manages to handle Lightening and it's annoying "re-notify you a dozen times for past events" stuff. I'd change him to Evolution but as it doesn't look exactly like Thunderbird (which he got initially at great protest when his windows machine became so often and so badly hosed he was given the options of Linux or paying someone else to fix it) .

          I keep hearing "you must have outlook for business" but I'm yet to see a solid case for it. I don't mean some twat MS lover saying nothing does what they need but real actual features that outlook has that others don't (I mean aside from the obvious security holes and allowing virus code to be put into the subject line and so on that outlook does).

        2. ArthurKinnell

          Re: Solution is controversial but saves money

          You can and it's called GroupWise, it also had these features years before Outlook.

  5. breakfast Silver badge
    Coat

    In this field its hard to know what you can and can't say

    I guess what I'm saying is there must be a lot of red lines for pen testers.

  6. ma1010
    Coat

    Ready? All together, one, two, three...

    "The technique described in the blog is not a software vulnerability..."

    It's not a bug. It's a FEATURE!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like