Perfect bloatware example.
Two chunks of code that perform the same function in one application.
A bunch of white-hat researchers have turned up a nasty new vector for attacking Microsoft Outlook: a forms creation feature that bypasses macro rules so attackers can get to the victim's shell. Sensepost says its interest in looking for an attack angle arose because Microsoft blocked older weak spots in a patch for Outlook …
So, for those of us who actually get paid to manage networks and are looking carefully at what sort of a threat this is...
My understanding is that you can't create a form in your copy of outlook and then email it to the target and have it work. The attacker first has to have full access to my users copy of Outlook, write the attack code and then save it as a draft, and then get the user to open that draft. In my environment this would require that the local machine already be compromised, so the threat to me from this is effectively zero.
But in other environments you could potentially access office 365 instead of the local machine and do the dirty work there, and the next time the user logs in then they get compromised. If I'm reading that right then it's a threat to 365 users using hosted exchange hence the bit about 2FA on logins.
Or am I missing something. Comments from other professionals welcome?
Basically, this attack add forceps to the Microsoft goatse (I'll wait while you recover from that image).
It's not hard to breach Microsoft security, this just allows you to wedge a digital crowbar in the many cracks and widen the opening quickly..
Migrate away from Exchange to open source on a Linux server. If you aren't using Exchange, why use Outlook at all?
Migrate away from Outlook. It's always been insecure with daft default settings. Use an Open source email client that supports POP and IMAP etc. Disable remote content by default. Learn about incoming attachments, phishing etc.
I take it you have never had to deal with users who have only ever used Outlook.
Change from Outlook and very likely the directors will want to skin you alive.
Back when we ran Lotus Domino/Notes it took very little for management to go "I want Outlook" and out the door it went (Me with it for several months, also not helped I might add by IBM demanding like for like licensing costs when only email was used and they had the cheek to audit us!).
Personally I am fine with any webmail client, its just email at the end of the day.
The problem is that most geeks basically work solo so don't see why people want to keep outlook in preference to their favoured email clients.
I have for about a decade said that I feel that when <insert email client> gets to equivalent functionality of outlook/exchange 1997 then people would happily swap. It's still not happened yet.
Basically, imagine a manager and a PA. When the manager can give read only access to non private flagged items in his mailbox to his PA, and full access to add edit or delete his calendar in $NotOutlook without requiring the slightest bit of technical knowledge then Outlook can go.
Most companies only really buy office for outlook so when outlook goes then the microsoft office package can be replaced with something else.
No outlook means you don't need to renew the exchange server after a few years.
No exchange server means that you don't need to run a windows server for exchange.
No exchange or windows servers mean that you don't really *need* to run windows desktops. (unless you have a industry specific program that everybody needs that's only available for windows which is increasingly less of a problem, even in the medical sector important things like SystmOne are available through webbrowser)
And the following year is the year of either the Linux (or react OS) desktop.
But Outlook still rules the business world, because it does what business users need it to do and it's worth the financial cost. When a system does the same and the users (not techs) agree then imo the above will happen, but not before.
Basically, imagine a manager and a PA. When the manager can give read only access to non private flagged items in his mailbox to his PA, and full access to add edit or delete his calendar in $NotOutlook without requiring the slightest bit of technical knowledge then Outlook can go.
There are email clients that don't do this? Evolution has been able to do it for some time, and my older tablet and my technophobe mate have the ability to read and alter my calendar, hosted on owncloud (I currently use gmail for mail but that'll change again in the coming months once I have some money to through at a machine so I can resurrect my own email server). Took him all of a couple of minutes to understand "click on calendar, click on mine, right click on day to create an event OR right click on event to modify it". He even manages to handle Lightening and it's annoying "re-notify you a dozen times for past events" stuff. I'd change him to Evolution but as it doesn't look exactly like Thunderbird (which he got initially at great protest when his windows machine became so often and so badly hosed he was given the options of Linux or paying someone else to fix it) .
I keep hearing "you must have outlook for business" but I'm yet to see a solid case for it. I don't mean some twat MS lover saying nothing does what they need but real actual features that outlook has that others don't (I mean aside from the obvious security holes and allowing virus code to be put into the subject line and so on that outlook does).