================================================
Denial of Service in Microsoft Outlook 2007-2013

Vulnerability Type: Denial of Service 
CVE: -
Impact: Low
CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Status: Unpatched
Credits: Lubomir Stroetmann, softScheck GmbH
http://www.softscheck.com
================================================

Description
-----------
softScheck has identified a Denial of Service vulnerability in Microsoft Outlook 2007-2013. A remote attacker can send a plaintext email containing an XML bomb [1] as the message body, causing Outlook to freeze while opening the email. This forces the user to terminate the Outlook process. In the default Outlook configuration, in which email contents are displayed in a reading pane in the main window, the impact is more severe: Outlook will freeze while starting and will not be able to start anymore, since it tries to open and display the email during startup. To resolve the issue, Outlook needs to be started in safe mode and the email needs to be deleted. The Outlook security setting "Read all standard mail in plain text" is not an effective protection against this vulnerability; Outlook will still freeze when opening the email.

An XML bomb consists of a valid XML Document Type Definition (DTD) containing several nested entities, each referencing the preceding one. When the email is opened, Outlook freezes while trying to expand all nested entities in memory, which causes the Outlook process to steadily increase in RAM usage. This type of attack has been reported as early as 2003 and was covered in-depth in 2009 in a Microsoft publication [2]. After finishing the expansion, Outlook eventually returns to a stable state. This can take days and due to the exponential growth of the task it  can be expanded to take even longer by adding further nesting. 

Other inputs in Office applications are also affected since they use the same Office XML format parser (e.g. pasting an XML bomb into a Microsoft Word document).


Vulnerable versions
----------------------
- Outlook 2007
- Outlook 2010
- Outlook 2011 for Mac
- Outlook 2013
All tested with latest patch level.


Impact
---------
The attack is documented publicly and easy to exploit. The overall impact is low.


Mitigation
-----------
softScheck reported the vulnerability to Microsoft. Microsoft confirmed the issue, however, it does not meet their definition of a security vulnerability. Microsoft promises to address the issue in a future version of Outlook.

Effective protection against the vulnerability can be achieved by adding a rule blocking XML DTD Entities ("<!ENTITY", case-insensitive) to your spam filter. Creating an Outlook rule to permanently delete messages containing "<!ENTITY" also mitigates the attack. 


Timeline
--------
2014-02-26 Contacted Microsoft Security Response Center
2014-02-28 Contacted CERT/CC
2014-03-20 Contacted Microsoft Germany
2014-04-03 Public release of advisory


About softScheck
------------------
softScheck regularly conducts IT Security Audits of software and hardware. We offer "Security Testing as a Service" in the form of a complete process in order to raise the security level of our customers' software. softScheck provides security consulting in all aspects of the ISO 27000 series in addition to coaching and forensics.


References
------------
[1] http://en.wikipedia.org/wiki/Billion_laughs
[2] http://msdn.microsoft.com/en-us/magazine/ee335713.aspx


Lubomir Stroetmann
softScheck GmbH
http://www.softScheck.com
Bonner Str. 108, 53757 Sankt Augustin
Tel: +49 (2241) 255 43 - 0
Fax: +49 (2241) 255 43 - 29
PGP key ID: 0x626C2EDA7FA4E9AA
PGP fingerprint: 14D4 6FA7 CE13 D20F 6031 5269 626C 2EDA 7FA4 E9AA