[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] #BadWinmail: The "Enterprise Killer" Attack Vector in Microsoft Outlook
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>, "bugtrace@xxxxxxxxx" <bugtrace@xxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "submissions@xxxxxxxxxxxxxxxxxxxxxxx" <submissions@xxxxxxxxxxxxxxxxxxxxxxx>
- Subject: [FD] #BadWinmail: The "Enterprise Killer" Attack Vector in Microsoft Outlook
- From: Haifei Li <haifei-non-reply@xxxxxxxxxxx>
- Date: Tue, 15 Dec 2015 20:47:47 +0000
Hi All,
I have released a paper & demo describing a novel/serious attack vector I
discovered in Microsoft Outlook.
Paper: https://sites.google.com/site/zerodayresearch/BadWinmail.pdfDemo:
https://www.youtube.com/watch?v=ngWVbcLDPm8
Reference:https://technet.microsoft.com/en-us/library/security/ms15-131.aspxhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6172
--ConclusionIn this report, the author disclosed a novel attack vector to
attack Outlook users via emails, which theauthor named as BadWinmail.
Specifically, we disclosed that a Flash (or other types of) exploit can
bepacked and delivered via a TNEF email (or MSG attachment). The most serious
impact is that the exploitwill get executed as long as the Outlook user
reads/previews the attacking email. Because there is nosandbox on Outlook, it
allows the attacker to take control of the victim’s computer immediately.
BadWinmail is an ideal attacking technique for targeted/APT attacks because of
its severity and thenature of email-based attacks - all the attacker needs to
know is the victim’s email address. It’s a “killer”exploit-delivering method as
usual tricks such as delivering via email attachments or delivering via URLs(in
email bodies) require additional user interactions and are protected by various
applicationsandboxes. It’s also a wormable issue rarely seen on Windows
platform nowadays.--
Thanks,Haifei
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/