================================================ Denial of Service in Microsoft Outlook 2007-2013 Vulnerability Type: Denial of Service CVE: - Impact: Low CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Status: Unpatched Credits: Lubomir Stroetmann, softScheck GmbH http://www.softscheck.com ================================================ Description ----------- softScheck has identified a Denial of Service vulnerability in Microsoft Outlook 2007-2013. A remote attacker can send a plaintext email containing an XML bomb [1] as the message body, causing Outlook to freeze while opening the email. This forces the user to terminate the Outlook process. In the default Outlook configuration, in which email contents are displayed in a reading pane in the main window, the impact is more severe: Outlook will freeze while starting and will not be able to start anymore, since it tries to open and display the email during startup. To resolve the issue, Outlook needs to be started in safe mode and the email needs to be deleted. The Outlook security setting "Read all standard mail in plain text" is not an effective protection against this vulnerability; Outlook will still freeze when opening the email. An XML bomb consists of a valid XML Document Type Definition (DTD) containing several nested entities, each referencing the preceding one. When the email is opened, Outlook freezes while trying to expand all nested entities in memory, which causes the Outlook process to steadily increase in RAM usage. This type of attack has been reported as early as 2003 and was covered in-depth in 2009 in a Microsoft publication [2]. After finishing the expansion, Outlook eventually returns to a stable state. This can take days and due to the exponential growth of the task it can be expanded to take even longer by adding further nesting. Other inputs in Office applications are also affected since they use the same Office XML format parser (e.g. pasting an XML bomb into a Microsoft Word document). Vulnerable versions ---------------------- - Outlook 2007 - Outlook 2010 - Outlook 2011 for Mac - Outlook 2013 All tested with latest patch level. Impact --------- The attack is documented publicly and easy to exploit. The overall impact is low. Mitigation ----------- softScheck reported the vulnerability to Microsoft. Microsoft confirmed the issue, however, it does not meet their definition of a security vulnerability. Microsoft promises to address the issue in a future version of Outlook. Effective protection against the vulnerability can be achieved by adding a rule blocking XML DTD Entities ("