December 17, 2015
One of a heaping collection of critical bug fixes pushed out by Microsoft on December 8 as part of the company’s monthly “Patch Tuesday” was an update to the Microsoft Office suite designed to close a vulnerability that would allow an attacker to sneak past Outlook’s security features. While the patch addressed multiple vulnerabilities in the way Office manages objects in memory, the most severe of them allows for remote code execution through a “specially crafted Microsoft Office file,” Microsoft reported.
Now more details of just how bad that vulnerability is have been provided by security researcher Haifei Li in a paper entitled “BadWinmail: The ‘Enterprise Killer’ Attack Vector in Microsoft Outlook.” The vulnerability allows a crafted attachment to an e-mail to bypass Outlook’s layers of security by exploiting Office’s Object Linking and Embedding (OLE) capabilities and Outlook’s Transport Neutral Encapsulation Format (TNEF)—the e-mail attachment method associated with Outlook messages’ winmail.dat attachments.
The winmail.dat file includes instructions on how to handle attachments embedded within it. “When the value of the ‘PidTagAttachMethod’ [within winmail.dat] is set to ATTACH_OLE (6),” Haifei wrote, “the ‘attachment file’ (which is another file contained in the winmail.dat file) will be rendered as an OLE object.”