Microsoft has published a patch for an Outlook vulnerability first reported in late 2016, but the patch has been deemed incomplete and additional workarounds are needed, according to the security researcher who discovered it.
Yesterday's
April 2018 Patch Tuesday updates train included a fix for CVE-2018-0950, a vulnerability in Microsoft Outlook discovered by Will Dormann, a vulnerability analyst at the CERT Coordination Center (CERT/CC).
Outlook retrieves remote OLE content without prompting
According to Dormann, the main problem with CVE-2018-0950 is that Microsoft Outlook will automatically render the content of remote OLE objects embedded inside rich formatted emails without prompting the user, something that Microsoft does in other Office apps such as Word, Excel, and PowerPoint.
This leads to a slew of problems that come from automatically rendering OLE objects, a common attack vector for malware authors.
Dormann says that during his experiments he was able to exploit this Outlook OLE handling design decision to steal user account passwords (NTLM hashes, to be more precise) from Windows computers.
