back to article Using Outlook? You should probably do some patching

Microsoft emitted a patch for all supported versions of Outlook on Patch Tuesday this month to prevent attackers harvesting credentials from users who simply preview a carefully crafted Rich Text (RTF) email. The vulnerability (CVE-2018-0950) exploited Outlook’s unfortunate habit of retrieving remotely hosted Object Linking …

  1. Anonymous Coward
    Anonymous Coward

    Password managers and SSO...

    Yup, we got an enterprise-wide SSO password manager - which means it stores all company passwords with reversible encryption somewhere... what about the recent article about 25% of attacks made by insiders?

    1. Kevin Johnston

      Re: Password managers and SSO...

      and people look at me oddly when they realise I don't use our SSO product. Since I have Admin rights on some systems I figured it better if I struggle to remember my password once in a while rather that have someone get hold of my AD login credentials and be me on all those systems with no extra effort.

  2. Notwork

    Hey Microsoft, if you could do a patch that would get rid of "Outlook is not responding" that'd be great, thanks.

    1. Dan 55 Silver badge

      Haven't they changed that message to "Hey there! We're not responding right now, but we'll be responding again right back at ya real soon now!" in the later versions?

      1. David 132 Silver badge

        Dan 55 Haven't they changed that message to "Hey there! We're not responding right now, but we'll be responding again right back at ya real soon now!" in the later versions?

        Great, just what we need, mail client applications with Genuine People Personalities™...

    2. Nolveys

      Hey Microsoft, if you could do a patch that would get rid of "Outlook is not responding" that'd be great, thanks.

      Microsoft is not responding...

  3. HighTension

    "stopping inbound and outbound SMB connections at the network border by blocking ports 445/tcp, 137/tcp, 139/tcp, as well as 137/udp and 139/udp."

    Pretty much any home ISP connection will block those anyway. Any corporate that's allowing those ports freely out to (or worse, in from) the general internet needs a serious clue-by-four application. I continually am flabbergasted in this day and age when we see stories of, eg, NoSQL servers being attacked from the internet. Who the hell configures a firewall that's not "block everything by default"? This is kindergarten level stuff...

    1. ecarlseen

      You're right, but...

      "Who the hell configures a firewall that's not 'block everything by default'?"

      Grievously, tragically, and unfortunately... it seems like damned near everyone.

      And what's worse is that more and more cloud services are expecting this behavior, especially conferencing apps (unless you want to keep up with their myriad and changing lists of ports and public subnets). I get that they don't want the latency of tunneling through HTTPS, but on the flip side things start becoming farcical on the firewall management side - especially when there are standardized protocols like SIP that could be used (SIP includes provisions for video and text messaging) with far less hassle. But that would allow us to use generic gateways instead of *their* gateways and prevent vendor lock-in, so screw us I guess.

    2. Anonymous Coward
      Anonymous Coward

      Outbound too

      It says outbound also. I doubt most residential routers ship with outbound rules in place by default.

  4. bombastic bob Silver badge

    People STILL use 'Virus Outbreak' aka Microsoft Outlook?

    what it says in the title.

    any - repeat *ANY* application *STUPIDLY WRITTEN* enough to preview attached (or especially REMOTE) content (or HTML, for that matter, especially with respect to DOWNLOADED or ATTACHED FONTS) in a preview window *DESERVES* whatever "UN-LOVE" it gets for doing so.

    'Virus Outbreak' is INSECURE BY DESIGN.

    (don't use it)

    icon, because, *facepalm*

    1. ecarlseen

      Re: People STILL use 'Virus Outbreak' aka Microsoft Outlook?

      MS Office is *really* tough to leave in a business environment. I've tried several times, but compatibility issues keep making it a "must have," and most third-party vendors expect it from an integration standpoint. It's not just the path of least resistance, it's the path of massively less resistance - even with the consideration that MS Office under volume licensing with software assurance is really damned expensive.

    2. Nate Amsden

      Re: People STILL use 'Virus Outbreak' aka Microsoft Outlook?

      I use Outlook 2010 (in a Win7 VM on vmware workstation on top of my linux laptop) still and it seems just about every email I get that has external content the content is blocked unless I right click and tell it to download.

      Also use Outlook Web access on office 365 that is where most of my work email is done, though sometimes regular outlook is better.

      Extended support for office 2010 seems to expire in 2020 so no need to upgrade and take on whatever UI changes MS has thrown at the system before I have to.

      The last time any of my personal computers/personal servers had an "infection" of malware of any kind that I was aware of was probably mid 1990s (due to pirating cracked games at the time).

    3. Ken Moorhouse Silver badge


      I veered from mild positivism to major negativism of Outlook when I found out about the 2Gb mailbox limit in old versions. Not the limit itself, but the way that Outlook allowed you to go over the limit and then announce that your mailbox needed the "inbox repair tool" to be able to function again. This is sloppy programming in not dealing with a boundary condition ahead of its manifestation. The fact that MS gave you a tool to "cure" the corruption rather than prevent it in the first place says a lot. And don't get me started on winmail.dat.

  5. Anonymous Coward
    Anonymous Coward

    Outlook preview pain

    Maybe I'm misremembering, but didn't Outlook have an option to "disable preview pane" as of some time in the late 20th century? Thunderbird still does.

    I quite liked Outlook back in the day, due to its combination of email, calendar, contacts, etc.

    In fact I liked it so much that since leaving my corporate employers a few years ago, I've paid real money for Outlook, twice, in the last few years. Sadly, neither of them were legit working versions, so I won't make the same mistake again if I can help it.

    The first one, from a well known Marketplace, looked like a home grown DVD and a dodgy corporate key, which wasn't a complete surprise given the price, so it stayed unused.

    More recently the 2nd one was bought from the well known retailer themselves with the intention of replacing a "free" online email package in use by a tiny non-profit org, with something more, er, 'professional'.

    It appeared to be a legit download but with an online "support id" rather than "product key". Despite paying pretty much full retail price for Office 2016 Home and Business, and despite hours on the phone or in chat with Microsoft support, it refused to activate. Money down the drain again?

    Not going to make the same mistake again :(

    1. The Oncoming Scorn Silver badge

      Re: Outlook preview pain

      I bought a quite a few of those licenses from Amazon (Got a bonus one too) for all the main machines & all activated without a issue, one refused to reactivate after a reimage so the spare got dragged into play.

      There's also a backup image for next time if need arises.

    2. Hans 1

      Re: Outlook preview pain

      Get a license on Amazon, $10 ... download from MS, all good. This, is legal if you live in the EU, IANAL, but other regions seem to have different laws.

      Basically, companies that have volume licenses purchase stuff which contains an OEM license for Windows/Office .... this OEM license they are legally allowed to sell if they do not use it. A bunch of companies buy these up and sell them on Amazon ...

  6. Anonymous Coward
    Anonymous Coward

    I prefer reading my emails in plain text anyway, helps avoid this problem...

  7. lerie

    If you are still using Outlook in 2018, you're probably hacked already.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like