exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Outlook 2007 - 2013 Denial Of Service

Microsoft Outlook 2007 - 2013 Denial Of Service
Posted Apr 3, 2014
Authored by Lubomir Stroetmann

Microsoft Outlook versions 2007 through 2013 suffer from a denial of service vulnerability.

tags | advisory, denial of service
SHA-256 | 6eca607c56b006c4f7b78e49106b52630cdb96b46ad746d45698cc710486021e

Microsoft Outlook 2007 - 2013 Denial Of Service

Change Mirror Download
================================================
Denial of Service in Microsoft Outlook 2007-2013

Vulnerability Type: Denial of Service
CVE: -
Impact: Low
CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Status: Unpatched
Credits: Lubomir Stroetmann, softScheck GmbH
http://www.softscheck.com
================================================

Description
-----------
softScheck has identified a Denial of Service vulnerability in Microsoft Outlook 2007-2013. A remote attacker can send a plaintext email containing an XML bomb [1] as the message body, causing Outlook to freeze while opening the email. This forces the user to terminate the Outlook process. In the default Outlook configuration, in which email contents are displayed in a reading pane in the main window, the impact is more severe: Outlook will freeze while starting and will not be able to start anymore, since it tries to open and display the email during startup. To resolve the issue, Outlook needs to be started in safe mode and the email needs to be deleted. The Outlook security setting "Read all standard mail in plain text" is not an effective protection against this vulnerability; Outlook will still freeze when opening the email.

An XML bomb consists of a valid XML Document Type Definition (DTD) containing several nested entities, each referencing the preceding one. When the email is opened, Outlook freezes while trying to expand all nested entities in memory, which causes the Outlook process to steadily increase in RAM usage. This type of attack has been reported as early as 2003 and was covered in-depth in 2009 in a Microsoft publication [2]. After finishing the expansion, Outlook eventually returns to a stable state. This can take days and due to the exponential growth of the task it can be expanded to take even longer by adding further nesting.

Other inputs in Office applications are also affected since they use the same Office XML format parser (e.g. pasting an XML bomb into a Microsoft Word document).


Vulnerable versions
----------------------
- Outlook 2007
- Outlook 2010
- Outlook 2011 for Mac
- Outlook 2013
All tested with latest patch level.


Impact
---------
The attack is documented publicly and easy to exploit. The overall impact is low.


Mitigation
-----------
softScheck reported the vulnerability to Microsoft. Microsoft confirmed the issue, however, it does not meet their definition of a security vulnerability. Microsoft promises to address the issue in a future version of Outlook.

Effective protection against the vulnerability can be achieved by adding a rule blocking XML DTD Entities ("<!ENTITY", case-insensitive) to your spam filter. Creating an Outlook rule to permanently delete messages containing "<!ENTITY" also mitigates the attack.


Timeline
--------
2014-02-26 Contacted Microsoft Security Response Center
2014-02-28 Contacted CERT/CC
2014-03-20 Contacted Microsoft Germany
2014-04-03 Public release of advisory


About softScheck
------------------
softScheck regularly conducts IT Security Audits of software and hardware. We offer "Security Testing as a Service" in the form of a complete process in order to raise the security level of our customers' software. softScheck provides security consulting in all aspects of the ISO 27000 series in addition to coaching and forensics.


References
------------
[1] http://en.wikipedia.org/wiki/Billion_laughs
[2] http://msdn.microsoft.com/en-us/magazine/ee335713.aspx


Lubomir Stroetmann
softScheck GmbH
http://www.softScheck.com
Bonner Str. 108, 53757 Sankt Augustin
Tel: +49 (2241) 255 43 - 0
Fax: +49 (2241) 255 43 - 29
PGP key ID: 0x626C2EDA7FA4E9AA
PGP fingerprint: 14D4 6FA7 CE13 D20F 6031 5269 626C 2EDA 7FA4 E9AA
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close