A vulnerability in Microsoft Outlook allowed hackers to steal a user’s Windows password just by having the target preview an email with a Rich Text Format (RTF) attachment that contained a remotely hosted OLE object.
The bug was patched by Microsoft as part of its
April Patch Tuesday fixes, over a year after it was first identified.
“By convincing a user to preview an RTF email message with Microsoft Outlook, a remote, unauthenticated attacker may be able to obtain the victim’s IP address, domain name, user name, host name, and password hash,” according to
the CERT description of the vulnerability, found by Will Dormann, a researcher with the CERT Coordination Center.
Next, Dormann was able to crack password hashes offline.
The vulnerability (
CVE-2018-0950) is tied to how Windows Object Linking and Embedding (OLE) Automation works in the context of .RTF files. OLE is a Windows protocol that enables applications to share data. For example, OLE allows an author of a document to embed content, such as images and sounds, from one program into Microsoft Office documents as objects.
Dormann’s technique also used the Windows’ Server Message Block (SMB) protocol. SMB allows a file on a remote server to be accessed in a similar way to how a file on a local drive can be accessed, he
wrote in a post outlining his research.
..........
..........
..........
