what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Outlook 2007 - 2013 Denial Of Service

Microsoft Outlook 2007 - 2013 Denial Of Service
Posted Apr 3, 2014
Authored by Lubomir Stroetmann

Microsoft Outlook versions 2007 through 2013 suffer from a denial of service vulnerability.

tags | advisory, denial of service
SHA-256 | 6eca607c56b006c4f7b78e49106b52630cdb96b46ad746d45698cc710486021e

Microsoft Outlook 2007 - 2013 Denial Of Service

Change Mirror Download
================================================
Denial of Service in Microsoft Outlook 2007-2013

Vulnerability Type: Denial of Service
CVE: -
Impact: Low
CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Status: Unpatched
Credits: Lubomir Stroetmann, softScheck GmbH
http://www.softscheck.com
================================================

Description
-----------
softScheck has identified a Denial of Service vulnerability in Microsoft Outlook 2007-2013. A remote attacker can send a plaintext email containing an XML bomb [1] as the message body, causing Outlook to freeze while opening the email. This forces the user to terminate the Outlook process. In the default Outlook configuration, in which email contents are displayed in a reading pane in the main window, the impact is more severe: Outlook will freeze while starting and will not be able to start anymore, since it tries to open and display the email during startup. To resolve the issue, Outlook needs to be started in safe mode and the email needs to be deleted. The Outlook security setting "Read all standard mail in plain text" is not an effective protection against this vulnerability; Outlook will still freeze when opening the email.

An XML bomb consists of a valid XML Document Type Definition (DTD) containing several nested entities, each referencing the preceding one. When the email is opened, Outlook freezes while trying to expand all nested entities in memory, which causes the Outlook process to steadily increase in RAM usage. This type of attack has been reported as early as 2003 and was covered in-depth in 2009 in a Microsoft publication [2]. After finishing the expansion, Outlook eventually returns to a stable state. This can take days and due to the exponential growth of the task it can be expanded to take even longer by adding further nesting.

Other inputs in Office applications are also affected since they use the same Office XML format parser (e.g. pasting an XML bomb into a Microsoft Word document).


Vulnerable versions
----------------------
- Outlook 2007
- Outlook 2010
- Outlook 2011 for Mac
- Outlook 2013
All tested with latest patch level.


Impact
---------
The attack is documented publicly and easy to exploit. The overall impact is low.


Mitigation
-----------
softScheck reported the vulnerability to Microsoft. Microsoft confirmed the issue, however, it does not meet their definition of a security vulnerability. Microsoft promises to address the issue in a future version of Outlook.

Effective protection against the vulnerability can be achieved by adding a rule blocking XML DTD Entities ("<!ENTITY", case-insensitive) to your spam filter. Creating an Outlook rule to permanently delete messages containing "<!ENTITY" also mitigates the attack.


Timeline
--------
2014-02-26 Contacted Microsoft Security Response Center
2014-02-28 Contacted CERT/CC
2014-03-20 Contacted Microsoft Germany
2014-04-03 Public release of advisory


About softScheck
------------------
softScheck regularly conducts IT Security Audits of software and hardware. We offer "Security Testing as a Service" in the form of a complete process in order to raise the security level of our customers' software. softScheck provides security consulting in all aspects of the ISO 27000 series in addition to coaching and forensics.


References
------------
[1] http://en.wikipedia.org/wiki/Billion_laughs
[2] http://msdn.microsoft.com/en-us/magazine/ee335713.aspx


Lubomir Stroetmann
softScheck GmbH
http://www.softScheck.com
Bonner Str. 108, 53757 Sankt Augustin
Tel: +49 (2241) 255 43 - 0
Fax: +49 (2241) 255 43 - 29
PGP key ID: 0x626C2EDA7FA4E9AA
PGP fingerprint: 14D4 6FA7 CE13 D20F 6031 5269 626C 2EDA 7FA4 E9AA
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close