The nature of CVE-2023-35628 allows a remote, unauthenticated attacker to execute arbitrary code on the victim’s system. The exploit can be initiated by sending a specially crafted email, and it has been noted that ransomware gangs and other malicious entities are likely to find this vulnerability an attractive target. Although the exploit code maturity for CVE-2023-35628 is currently unproven, which means there might not yet be a reliable method for exploiting this vulnerability in the wild, the potential for remote code execution makes it a critical issue for all Windows users​​.

MSHTML platform

The vulnerability in the MSHTML platform, specifically CVE-2023-35628, can be attributed to several factors that are commonly found in software vulnerabilities:

1. Parsing and Rendering of HTML Content: MSHTML, being a component used for parsing and rendering HTML content in applications like Microsoft Outlook, processes a large amount of untrusted input. This input, which often includes complex HTML and scripting content, can contain flaws or unexpected sequences that are not properly handled by the software.
2. Memory Management Issues: Vulnerabilities often arise due to memory management issues such as buffer overflows, use-after-free errors, or other similar problems. These issues can occur when the software does not correctly allocate, manage, or free memory when processing HTML content. Attackers can exploit these weaknesses to execute arbitrary code.
3. Insufficient Input Validation: Software vulnerabilities can also stem from insufficient input validation. If MSHTML does not properly validate or sanitize the HTML content it processes, malicious input could be used to trigger an exploit. This could include specially crafted scripts or malformed HTML structures designed to take advantage of the parser’s weaknesses.
4. Complexity of Web Standards: The complexity of modern web standards can also contribute to vulnerabilities. As standards evolve and become more complex, it becomes increasingly challenging to ensure that every aspect of the parsing and rendering process is secure against all potential attack vectors.
5. Integration with Email Clients: The integration of MSHTML with email clients like Outlook adds another layer of complexity. Emails are a common vector for delivering malicious content, and the automatic processing of emails (including the rendering of HTML content) can make it easier for attackers to exploit vulnerabilities without direct interaction from the user.

The No-Click Exploit

An exploit for the CVE-2023-35628 vulnerability in the Windows MSHTML platform would typically involve a few key steps, tailored to leverage the specific nature of this flaw. Here’s a generalized overview of how such an exploit could work:

1. Crafting a Malicious Email: The attacker starts by creating a specially crafted email. This email would contain malicious code or a payload designed to exploit the vulnerability in the MSHTML platform. The precise nature of this code depends on the specifics of the vulnerability and would be tailored to trigger the flaw in MSHTML.
2. Email Delivery and Automatic Processing: The crafted email is then sent to the target. In the case of CVE-2023-35628, the critical aspect is that the vulnerability is triggered when Microsoft Outlook retrieves and processes the email. This processing happens automatically, often before the email is even displayed in the Outlook Preview Pane.
3. Remote Code Execution: Upon processing the malicious email, the exploit code is executed. This code execution occurs within the context of the MSHTML platform, which is a key component used by Outlook for rendering HTML content in emails.
4. Taking Control or Damaging the System: Once the code is executed, it can perform various malicious activities. This could range from taking control of the user’s system, stealing sensitive information, installing malware, or performing other harmful actions. The extent of the damage or control depends on the nature of the payload and the permissions available to the MSHTML process.

Memory shaping is an advanced exploitation technique often used in sophisticated cyber attacks, particularly those involving complex software systems and secure environments. It’s a method used by attackers to manipulate the layout or state of memory in a target application to facilitate the exploitation of vulnerabilities. Memory shaping can be a part of exploiting vulnerabilities like buffer overflows, use-after-free errors, or other memory corruption issues.

Here’s a simplified example to illustrate how memory shaping and its exploitation might work:

1. Identifying a Vulnerability: First, the attacker finds a vulnerability in the target application that can be exploited to corrupt memory. For instance, this could be a buffer overflow, where the application fails to check the length of input, allowing an attacker to write more data to a buffer than it can hold.
2. Analyzing Memory Layout: The attacker then studies the application’s memory layout to understand how data is stored and managed. This involves identifying where in memory different types of data are located and how they are accessed by the application.
3. Memory Shaping: Once the attacker has a good understanding of the memory layout, they begin the process of memory shaping. This involves crafting inputs or actions that modify the application’s memory in a controlled way. For example, they might allocate and free memory in a specific pattern to arrange chunks of memory in a desired layout.
4. Exploiting the Vulnerability: With the memory shaped to their advantage, the attacker then exploits the identified vulnerability. Using the buffer overflow example, they might overflow a buffer with data that includes malicious code (the payload) and carefully calculated addresses or commands that redirect the application’s execution flow to the payload.
5. Executing Arbitrary Code: If successful, the exploit allows the attacker’s code to be executed with the privileges of the target application. This could lead to various malicious outcomes, such as data theft, installation of malware, or gaining control over the system.

It’s important to note that memory shaping is a complex and technical process that requires in-depth knowledge of both the target application and general exploitation techniques. It’s typically used in scenarios where standard exploitation methods are not effective, often due to security measures like Address Space Layout Randomization (ASLR) or other protections.

Due to the complexity and potential for misuse, specific exploit code or detailed methodologies for memory shaping are not shared publicly. The goal of cybersecurity research in this area is to understand and mitigate such advanced threats, ensuring software and systems are secure against potential attacks.

It’s important to note that the complexity of the exploit for CVE-2023-35628 is considered high. It requires specific knowledge and techniques, particularly related to memory shaping, to successfully exploit the vulnerability. This complexity might limit the exploitation to more skilled attackers.

The attack complexity is considered high due to the reliance on complex memory-shaping techniques to successfully exploit the vulnerability. Despite this complexity, the high impact of the vulnerability necessitates prompt attention and action. Microsoft has addressed this flaw in their December 2023 Patch Tuesday updates, recommending users to update their systems as a preventative measure​​.

It’s important to note that CVE-2023-35628 is just one of several vulnerabilities addressed in the December 2023 Patch Tuesday updates. Other notable vulnerabilities include CVE-2023-35630 and CVE-2023-35641, which are remote code execution vulnerabilities affecting Microsoft Internet Connection Sharing (ICS) with a CVSS score of 8.8, and a critical spoofing vulnerability in Microsoft Power Platform Connector (CVE-2023-36019) with a CVSS score of 9.6​​.

Mitigation & Scope

The CVE-2023-35628 vulnerability, which is a critical remote code execution flaw in the Windows MSHTML platform, affects a range of Microsoft products, including Office 365 and on-premises versions. This vulnerability is significant due to its potential to allow exploitation as soon as Outlook retrieves and processes a specially crafted malicious email, even before the user interacts with the email. This means that exploitation could occur without any action from the user, not even requiring the Preview Pane in Outlook.

In terms of impact on Office 365 and on-premises environments, it’s important to note that the MSHTML proprietary browser engine, which is the component affected by this vulnerability, is used by Outlook among other applications to render HTML content. The fact that this engine remains installed within Windows, regardless of the status of Internet Explorer 11, means that systems where Internet Explorer 11 has been fully disabled are still vulnerable until patched.

For addressing this vulnerability, Microsoft released patches as part of their December 2023 Patch Tuesday. These patches are essential for mitigating the risk posed by this vulnerability and are available for various versions of Windows and related software components. Given the critical nature of this vulnerability and its potential impact on confidentiality, integrity, and availability, it’s strongly recommended for users and administrators of both Office 365 and on-premises environments to apply these updates promptly.

The December 2023 Patch Tuesday from Microsoft addressed a total of 34 vulnerabilities, including this critical RCE vulnerability in MSHTML. It’s noteworthy that there were no security patches for Exchange, SharePoint, Visual Studio/.NET, or SQL Server in this particular update cycle.

The details about the patches and the specific versions they apply to can be found in Microsoft’s security bulletins and support documentation. For users and administrators, it is crucial to review these resources and ensure that all applicable security updates are applied to protect against potential exploits of this vulnerability​

Given the severity and the ease with which this vulnerability can be exploited, it is crucial for Windows users, particularly those using Microsoft Outlook, to ensure their systems are updated with the latest security patches provided by Microsoft. Regular review of patching strategies and overall cybersecurity methods is advisable to maintain a robust security posture.

The post Silent Email Attack CVE-2023-35628 : How to Hack Without an Email Click in Outlook appeared first on Information Security Newspaper | Hacking News.

Ben Barnea, a researcher at Akamai, found a method around the flaw that had been addressed in March. This manner, an attacker could exploit the vulnerability to force an Outlook client to connect to a server that was controlled by the attacker. Although the issue had been patched in March, the researcher found a way around the patch.

Barnea said that the problem is a zero-click vulnerability, which means that it can be activated with no interaction required from the user, and that all versions of Windows are vulnerable to it. Barnea elaborated by stating that the original patch was made meaningless by the introduction of a single new character. However, he and the security team at Akamai disagreed with the way Microsoft categorized the problem, which was assigned a CVSS score of just 6.5. They found it when they were analyzing the patch for CVE-2023-23397, which fixed the issue by changing the code flow in Outlook so that it now checks to see if the universal naming convention (UNC) path that retrieves the custom sound file refers to an internet URL, and if it does, it uses the default reminder sound instead of the custom one.

 Un fortuitously, they also discovered that the check—and, as a consequence, the patch—can be readily broken by adding a single character, which would alter the way that a certain function categorizes the zone of the UNC route. This was a disappointing discovery.

Also, according to recent study conducted by Cybernews, more than 85,000 Microsoft Exchange servers do not have the necessary patches installed to protect them from multiple vulnerabilities that allow remote code execution and were resolved by Microsoft in February 2023.

Threat actors are able to remotely execute code on the target computer thanks to the vulnerabilities in question, which are recorded as CVE-2023-21529, CVE-2023-21706, and CVE-2023-21707. These vulnerabilities are tracked as CVE-2023-21529, CVE-2023-21706, and CVE-2023-21707.

Even though there have been no reports of attacks exploiting these problems at the time, Microsoft recommended enterprises to upgrade their servers as quickly as possible. This is because the holes theoretically might have been leveraged by hackers to get initial access to a corporate network. However, there have been no reports of attacks using these issues.

However, the findings of an investigation indicated that over three months after security upgrades were made available, many businesses that use Microsoft Exchange software are still susceptible to security flaws.

The team discovered that one in every three Microsoft Exchange servers was still missing their patch, the majority of which are situated in Germany (almost 18,000 of them).

Researchers examined a total of 248,350 internet-connected Microsoft Exchange servers. They found that 85,261 of those servers, or 34.33%, were vulnerable to RCE attacks.

The United States of America is the second most afflicted nation in the world, with approximately 16,000 servers that have not yet been patched. This is followed by the United Kingdom (3,734), France (2,959), the Netherlands (2,906), and Russia (2,775).

In addition, the researchers evaluated the distribution of Exchange versions and discovered that, in the majority of Western nations, newer versions that were still susceptible were more frequent, with the exception of the first minor version in a major release (for example, version 15.2.986.5 rather than 15.2.986.41).

Researchers discovered that earlier versions of Microsoft Exchange 2016 were preferred in the cases of China and Russia, despite the fact that newer versions were being utilized in the 2019 and 2013 releases. This was the case despite the fact that newer versions were available.

Even though it’s been many months since the RCE problems were discovered, the number of Exchange servers that are still missing their patches is scarcely going down at all. The researchers noticed that the number of susceptible servers in February was around 87,000, as shown by the statistics provided by the Shadowserver Foundation.

The post Hack into Outlook email accounts with just a music .wav file appeared first on Information Security Newspaper | Hacking News.

The report, by Bitdefender, mentions: “Users in a position to validate a link in an email client before clicking on it, will be susceptible to clicking on it because it has not yet been translated into a real domain name in their browser. The actual domain name would only be seen after the page has started to open.”

The term IDN refers to domain names that, in whole or in part use characters from a non-Latin script or alphabet, which are encoded by the Unicode standard. In order for the Domain Name System (DNS) to interpret them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

Counterfeit IDN homograph domains can be created by combining letters from different alphabets, which to the user look so similar to each other that it is impossible to distinguish them, although Unicode treats them as separate entities. This is not a new concept, although it is still a problem for many users.

Most browsers, for example, display in the address bar the real name of an internationalized domain name (https://xn--n1aag8f.com, for example) instead of the name to display the real name (https://žugec.com) if the site is suspicious. However, Office applications, including Outlook, display the name in another method:

Since domain registration verification greatly limits which counterfeit domains can be registered and most browsers display the real name of the spoofed IDN domain, IDN homograph attacks have ceased to be a constant cybersecurity threat, although threat actors may find ways to deploy these attacks on a large scale.

Microsoft acknowledged the problem when it received the Bitdefender report, though it’s unclear if the issue will be fixed. While the issue is resolved, endpoint security solutions and IP and URL reputation services could collaborate by blocking most suspicious domains.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How to hide spoofed malicious domain when users hover above a link in a phishing email in Microsoft Outlook, Word or Excel document? appeared first on Information Security Newspaper | Hacking News.

Specialists have detected a new Instagram phishing campaign in which threat actors use an email supposedly sent from this social media platform arguing that the user has to respond to an alleged “Instagram claim”. In the following screenshot, we can observe that the message is in plain text and in the subject line it simply mentions “INSTAGRAM SUPPORT”, just like in the sender’s line.

According to the report, this phishing and social engineering campaign is aimed at employees of an insurer in the U.S., under the guise of Instagram Support. The message was sent from a legitimate Outlook domain, and the hackers employed various techniques to evade Google’s email security mechanisms.

As for the content of the message, it states that the target user was reported because their activity on Instagram violates copyright laws. The attackers strategically designed this message with the clear intention of creating a sense of urgency in the user and forcing him to click on the attached link, setting a limit of 24 hours to respond to the alleged report.

As you can guess, the link redirects the user to a fraudulent website with a fake Instagram account verification page; you can even see the Meta logos and the web browser used. On this site the target user is asked to enter their Instagram login credentials and complete a supposed verification form.

If the target user falls into the trap, their login credentials will be sent to a C&C server controlled by the hackers, so these sensitive logs will be completely exposed.

This is an active campaign and can be highly harmful to affected organizations and users, so it will be necessary to follow some recommendations to avoid a catastrophic scenario. The risks of this and other phishing campaigns can be reduced by following the following recommendations:

• Be careful before opening any unsolicited email. No legitimate company or organization requests personal information without prior contact
• Do not download attachments or click on links included in these messages
• Use different login credentials for your personal applications and business applications. Using the same passwords increases the risk of exposure in case hackers can access one of your passwords 
• Use multi-factor authentication for your online platforms whenever possible

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Never-seen-before Instagram phishing scam that can defraud any user appeared first on Information Security Newspaper | Hacking News.

Thanks to the presence of this vulnerability, threat actors were able to inadvertently extract access tokens, so they could access victims’ accounts without having to re-enter a password. These tokens are created by applications or websites and are used instead of usernames and passwords after users have first authenticated, allowing a permanent connection to the website and access to third-party web applications without having hand over their passwords there too.

The web application security experts in charge of the report mention that Microsoft left a security loophole that, if exploited could be used by hackers to redirect these access tokens without the victims being able to notice this malicious activity.

Experts reported dozens of unregistered subdomains connected to some Microsoft-developed applications, which are highly reliable and whose associated subdomains can generate access tokens automatically and without users’ consent. Having these subdomains, a threat actor only requires tricking the user into clicking on a specially created link, attached to an email or within a website, to extract the access token.

Most worryingly, web application security specialists say this could be achieved with minimal users’ interaction, as a malicious website could inadvertently trigger a request equivalent to a click on a link, achieving the theft of the user’s token in the same way.

The good news is that unregistered subdomains have already been reported to Microsoft, which will prevent their malicious use. However, experts note that more of these subdomains could still be found. The report was issued in October and the company fixed the fault about twenty days later.

Some security flaws had already been found in the Microsoft login system. Last year, web application security specialists at the International Institute of Cyber Security (IICS) reported that the company fixed a security flaw that allowed hackers to alter the records of a Microsoft subdomain to extract access tokens.

The post This Outlook bug lets hackers access your emails just like Hillary Clinton appeared first on Information Security Newspaper | Hacking News.

Users of the popular e-commerce website eBay were surprised to find that the company’s email logo was replaced by the image of a nude woman. The exact cause of the incident is not yet known, although information security services experts fear that it is the attack of a dangerous group of malicious hackers.

Site users who receive notifications from the Microsoft Outlook app appear to be the only ones affected. This group of users found a photo of a topless brunette woman instead of the company’s traditional logo when trying to track the shipment of their orders.

With lots of doubts due to the incident, sellers and customers tried to get more details through the company’s social media profiles. The Twitter user @chlo_imrie, for example, posted the modified logo image, tagging eBay in the post and asking, “Why this image is in the company’s email, I don’t understand”.

A company spokesman said: “Our team of information security services experts is working with Microsoft, which is one of our main email service providers for eBay users in the UK.” This statement suggests that the incident occurred in the tech giant, not on eBay. “Both companies are working to address the incident,” the spokesman added.

Although most of the affected users who posted on the company’s Twitter profile regarded this incident as anecdotal, and even a funny accident, it may not all be good news. According to information security services specialists from the International Institute of Cyber Security (IICS), a dangerous hacker group could be found behind this incident, so the company’s security teams should not stop monitor eBay’s systems looking for any evidence of intrusion: “Any possible explanation for this incident must be considered, at least until the company concludes its investigation and determines the origin of this event,” the experts note.

The post Hackers attack eBay; the company’s logo was replaced by the picture of a nude girl appeared first on Information Security Newspaper | Hacking News.

In a security report, Microsoft reports that the Outlook application version 3.0.88 and earlier contains a cross-site scripting (XSS) vulnerability tracked as CVE-2019-1105. The flaw exists because of the way the app scans incoming emails.

According to the information security experts, if exploited, the vulnerability can help a remote threat actor to execute malicious client-side code on the target device; the hacker only needs to send a specially crafted email.

“After successfully exploiting this vulnerability, a hacker could perform XSS attacks on compromised systems by running scripts in the security context of any user,” the Microsoft report mentions.

According to the company’s information security team, the vulnerability was discovered by a group of independent researchers who notified the company in proper procedure for reporting vulnerabilities. Experts who discovered the flaw reported that it could lead to a identity spoofing attack.

Details about the attack or a proof of concept for the vulnerability are not yet available, and Microsoft reported that it has no evidence to prove that this attack has been exploited in the wild.

Specialists from the International Institute of Cyber Security (IICS) recommend Outlook for Android users check if their app has been updated automatically. Otherwise, the user must install the update manually from the official Google Play Store platform.

Multiple zero-day vulnerabilities have recently been reported in various Microsoft products, mainly Windows 10. The researcher known as Sandbox Escaper has reported at least five new security bugs over the past six months in services such as Remote Desktop, Windows Server and Windows 10 Sandbox.

The post Your Outlook app may be allowing hackers to enter your Android smartphone appeared first on Information Security Newspaper | Hacking News.

Cyber forensics course specialists report that a group of hackers have infiltrated some email accounts from Outlook users to steal several virtual assets, including Bitcoin. The total stolen amount is still unknown, although it is speculated that it could be a considerable sum.

One of the victims, a Dutch engineer, claims that a threat actor somehow got the login credentials of some of Microsoft‘s employees. The engineer claims that the attackers used this information to scan hundreds of emails, change passwords, and steal Bitcoin addresses from multiple cryptocurrency exchange platforms.

According to cyber forensics course specialists, hackers implemented a forwarding protocol with which the victims ‘ emails were forwarded to an email address controlled by the attackers when the repetition of a specific word was detected.

Unfortunately, the Dutch engineer’s case is not the only one known so far. Through Reddit, a user claimed to have lost over $20k USD in cryptocurrency after their data related to a Microsoft service was compromised. “Hackers didn’t even have to steal my credentials; they just gained access to the content of my email by making a password reset request”, the user says.

The victims have accused the company of trying to cover up this security incident in Outlook. Although the incident was revealed a couple of weeks ago by cyber forensics course specialists, Microsoft responded by stating that the incident had only compromised some metadata related to the users ‘ email addresses.

However, by revealing that the content of the victims’ emails had also been compromised, Microsoft changed its initial statements and began the process of notifying the hacking victims.

Specialists from the International Institute of Cyber Security (IICS) believe that Microsoft was wrong in deciding to downplay a serious security incident. The experts believe that the company tried to hide something obvious and this could generate a lot of problems in their image, in addition to the potential loss of customers.

The post Hackers steal Microsoft Outlook login credentials to steal Bitcoin appeared first on Information Security Newspaper | Hacking News.

Microsoft has revealed that a group of unknown hackers has perpetrated a data breach in some of the company’s systems; according to cyber forensics course experts from the International Institute of Cyber Security (IICS), hackers would have compromised the log in credentials of some members of the company’s technical support team, thanks to this, they got access the email accounts of one of the Microsoft customers.

Early research indicates that hackers attacked the company’s network sometime between January and March, shortly after the intrusion, cybercriminals accessed Microsoft staff log in data.

According to cyber forensics course experts, the company notified the customer of the situation, stating that: “An unfair access could have allowed an unauthorized user to access information related to your email account, as folder names, email subjects, among other data”. The company also stated that the attackers do not have access to the contents of the folders, messages or attachments.

The exact number of emails that hackers have accessed is still unknown. In addition, Microsoft has also not disclosed information about attacked employees, so it is ignored if they work directly for the company, or if they are part of an outsourcing support company.

Shortly after the incident was detected, Microsoft disabled the compromised log in credentials, and had also maintained monitoring activities to avoid any unauthorized log in attempts.

According to cyber forensics course experts, the company launched a security alert for its customers, mentioning that this incident could generate future phishing campaigns or spam via email. Users are encouraged to remain alert to any unreliable email or request personal information, click on a link, or download attachments.

The Company has also recommended its Outlook customers to reset their passwords as an additional security measure despite the fact that no client of this service has been directly affected by this incident.

The post Microsoft was hacked – Outlook and employees’ accounts have been hacked appeared first on Information Security Newspaper | Hacking News.

Users had trouble accessing their mailboxes for almost two days

The Microsoft 365 online work suite experienced service outage issues in recent days. Multiple users reported that they were not able to access their mailboxes through any platform, reported network security and ethical hacking experts from the International Institute of Cyber Security.

Some users also reported delays of up to three hours in the sending and receiving of their emails; in addition to some other failures in the service (users received multiple times the same message).

Microsoft 365 is an online service that includes Office 365, Windows 10, and Windows Enterprise Mobility and Security. According to experts in network security, in the case of an online platform, the drawbacks that are presented can be serious. In this case, all users of Microsoft 365 were affected by the same error of this product in the cloud.

Through Twitter, the Microsoft 365 team mentioned: “We have determined that a subset of the domain controller infrastructure is not responding. We are implementing some measures to mitigate the drawbacks. More details can be found in the Microsoft 365 Administration Center”.

As Microsoft concluded its investigation into the incident, users around the world continued to report service failures that prevented them from sending and receiving their personal and business messages for almost two days.

Microsoft later reported that “a higher-than-expected queuing in the platform’s authentication infrastructure could be the cause of the incident. We are now working to identify the causes of these queuing as well as impact mitigation”.

A few hours later, Microsoft reported via Twitter: “Our telemetry data indicate flaws in the connection timeout within the Exchange authentication infrastructure, which generated this incident”.

After two days of inactivity, Microsoft 365 users began reporting that the incident (identified as EX172491) had been completely eliminated, according to network security experts.

The post Microsoft 365 service error causes Outlook and Exchange disruption appeared first on Information Security Newspaper | Hacking News.

The investigator who discovered the error will be rewarded by the company

Sahad Nk, a digital forensics expert from India and partner in a cybersecurity firm, has received a reward from Microsoft as part of the company’s bug report program thanks to the discovery and reporting of a series of critical vulnerabilities present in Microsoft accounts.

The vulnerabilities were present in the users’ Microsoft accounts, from Office files to Outlook emails, according to digital forensics specialists from the International Institute of Cyber Security. In other words, all kinds of Microsoft accounts (over 400 million) and all kinds of data were exposed to hacking. If chained, the bugs would become the perfect attack vector to access the Microsoft account of any user; all the attacker required was for the user to click on a link.

According to the report published by Sahad Nk, a Microsoft sub-domain (success.office.com) was not properly configured, allowing it to take control using a CNAME record, a record that connects one domain to another. Using the log, Sahad was able to locate the poorly configured subdomain and link it to his personal Azure instance to get full control of the subdomain and all of its data.

Although this already seems serious by itself, the real problem for Microsoft is that the applications of Office, Sway and Store could be deceived with relative ease to transfer their login tokens to other domains in control of possible attackers when a user logs into their Microsoft account.

As soon as the victim interacts with the specially designed link received by email, it will log into the Microsoft Live registration system. When victims enter their user name, password and 2FA code (if enabled) an account access token will be generated allowing users to login without re-entering their credentials.

If someone gets this access token, it’s like getting user’s credentials itself, the digital forensics experts mentioned. Therefore, an attacker can easily enter the account without alerting the original owner or alerting Microsoft about the unauthorized access.

The malicious link is designed in a way that forces the Microsoft login system to transfer the account token to the controlled subdomain. In this case, the subdomain was controlled by Sahad; however, if a malicious attacker controlled it, it was possible to put a large number of Microsoft accounts at risk. The most disturbing thing is that the malicious link seems authentic because the user is still entering through the legitimate Microsoft login system.

The bug was corrected by Microsoft shortly after receiving the report; the amount of the bounty that the company gave to the expert was not disclosed.

The post Microsoft bug exposes 400 million Outlook and Office 360 accounts appeared first on Information Security Newspaper | Hacking News.

This security vulnerability exists because the Redmond giant doesn’t use strict content verification and restrictions when loading items from a remote SMB server. On the other hand, the same vulnerability cannot be exploited when accessing web-hosted content as Microsoft applies much stricter restrictions when dealing with this type of content.

Outlook doesn’t load web-hosted images in emails in order to protect users’ IP addresses. However, when users access RTF email messages that contain OLE objects loaded from a remote SMB server, Outlook does load the respective images.

This leads to a series of leaks that include IP address, domain name, and more as the reports explains:

Outlook blocks remote web content due to the privacy risk of web bugs. But with a rich text email, the OLE object is loaded with no user interaction… Here we can see than an SMB connection is being automatically negotiated. The only action that triggers this negotiation is Outlook previewing an email that is sent to it… I can see that the following things are being leaked: IP address, domain name, user name, host name, SMB session key. A remote OLE object in a rich text email messages functions like a web bug on steroids.

Microsoft partially fixes the problem. Microsoft recently rolled out a hotfix on Patch Tuesday to fix this security issue. According to information security trainingexperts, this solution is not 100% safe as it fails to block all remote SMB attacks.

Once this fix is installed, previewed email messages will no longer automatically connect to remote SMB servers. This fix helps to prevent the attacks outlined above. It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above. For example, if an email message has a UNC-style link that begins with “\\”, clicking the link initiates an SMB connection to the specified server.

The post Vulnerability in Outlook let hackers to steal password hashes appeared first on Information Security Newspaper | Hacking News.