Every now and then we repeat: never click on suspicious links, do not open files from unknown sources, always delete messages sent from unknown senders. And while all these tips are still up-to-date, they might not be effective if you are using Outlook – all of this won’t protect you from the BadWinmail threat. You don’t even need to click or open a message to catch the infection. You just get a message and you don’t even have to read it.
How is this possible?
If you are familiar with Microsoft Office, you probably know that you can embed objects in its files. Although not everyone, the list is quite long. This is called OLE technology (Object Linking or Embedding).
It turned out that this technology works not only in DOC or XLS files, but also in Outlook messages. It also turned out that the list of the above-mentioned objects contains, apart from general MS Office things, for example Adobe Flash objects.
You know why cybercriminals love Flash so much? Because there are a lot of gaps in it . Some of them belong to the zero-day group, which means they are unpatched. These vulnerabilities could be used to do things on your computer that you would definitely not want to do .
This is a known problem, and most vendors struggle with it the same way – they allow Flash content to run in their program (for example, a browser) only in the so-called sandbox. Malicious code can do anything in it, even start some fancy cyberapocalypse.
The point is, it can’t get out of the sandbox, so it won’t affect anything outside of it, so your files won’t get corrupted. Well, at least that’s the intention – sometimes this trick doesn’t work, but that’s another story.
If you’re waiting for the third „it turned out”, go ahead. It turned out that Outlook doesn’t use such a sandbox for potentially dangerous objects and starts everything in normal mode. This means that malicious code in embedded objects can act like any other program installed on your computer.
BadWinmail threat is dangerous for Outlook
The problem doesn’t stop with these three bad news. Outlook is helpful enough to open the latest email in front of yours. Therefore, when a malicious message with an attached BadWinmail exploit reaches your inbox, it is executed immediately after Outlook starts.
Haifei Li , a security researcher and vulnerability explorer, created the so-called proof of the concept of a possible attack using this threat which he called BadWinmail. He described it in surprisingly simple words in his study .
To understand the seriousness of the situation, imagine that someone is running some ransomware program on your computer .
The good news is that Haifei Li reported the vulnerability to Microsoft, and the company fixed it on December 8. The bad news is that people who don’t keep their programs up-to-date are still vulnerable. And many of them will have it for weeks, months, even years.
Since the report has been made public, many cybercriminals will certainly try to use this vulnerability to infect thousands, if not millions of computers in this way. And if you’ve been wondering if you need to update your software right away and use security software , I think you now have good reason to say yes.