back to article Microsoft: Patch this severe Outlook bug that Russian miscreants exploited

Microsoft's March Patch Tuesday includes new fixes for 74 bugs, two of which are already being actively exploited, and nine that are rated critical. Let's start with the two that miscreants found before Redmond issued a fix. First up: prioritize patching CVE-2023-23397, a privilege elevation bug in Microsoft Outlook that …

  1. Paul Crawford Silver badge
    Facepalm

    "The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client," Microsoft explained. "This could lead to exploitation BEFORE the email is viewed in the Preview Pane."

    Outlook, the gift to criminals that keeps giving!

    1. Anonymous Coward
      Anonymous Coward

      Is it just me or is Microsoft's definition of "patching" now "the process to replace discovered security exposures with new, yet unaddressed ones"?

      The top Internet traffic used to be spam and p*rn, I think it's now Microsoft patches.

  2. Rich 2 Silver badge

    Crap Software R Us

    It’s 2023 and M$ STILL can’t write an email client that isn’t a security Swiss cheese and doesn’t fuck up.

    Astonishing. Utterly astonishing

    1. Anonymous Coward
      Anonymous Coward

      Re: Crap Software R Us

      Actually I think they must have some ulterior motive for having an insecure MUA; it doesn't seem credible that they have so many issues accidentally.

      1. Paul Crawford Silver badge

        Re: Crap Software R Us

        https://en.wikipedia.org/wiki/Hanlon%27s_razor

        1. cyberdemon Silver badge
          Devil

          Re: Crap Software R Us

          The trouble is, Hanlon's Razor when applied to Microsoft gets clogged up with so much incompetence that it starts agreeing with Ian Fleming's oft-quoted quip.

          Once is Happenstance.. Twice is coincidence.. However many thousand Outlook bugs.. incompetence??? All of them?? Really?

      2. Anonymous Coward
        Anonymous Coward

        Re: Crap Software R Us

        Yup, gotta keep them backdoors open for all those agencies availing themselves of the Cloud Act. Can't have pesky Europeans insist on privacy, after all, Americans don't get that either.

    2. J. Cook Silver badge
      Devil

      Re: Crap Software R Us

      To play devil's advocate, it's legacy code that probably has exactly ONE customer that uses that exploit legitimately, and they are a multi-billion (or multi-trillion) dollar entity.

      The better question to ask is "why hasn't NTLM been put out to pasture already in favor of Kerberos?

      1. Ken Hagan Gold badge

        Re: Crap Software R Us

        It has. You can disable NTLM across your network with a couple of policy settings. This came in pre-pandemic. If you haven't done it yet, presumably you have some third-party apps that depend on it, still, 3 or more years after you should have started looking for an alternative.

      2. Anonymous Coward
        Anonymous Coward

        Re: Crap Software R Us

        Because it's not Kerberos-the-standard, but Kerberos-the-way-Microsoft-made-it-proprietary?

        1. Michael Wojcik Silver badge

          Re: Crap Software R Us

          Versus that widely-deployed standard NTLM? Microsoft's sins against Kerberos are not a reason to get rid of NTLM.

          1. J. Cook Silver badge
            Joke

            Re: Crap Software R Us

            Indeed; NTLM (even NTLMV2!) has more than enough sins against it for reason to kick it to the Kerb(eros)

            :: runs away quickly ::

      3. mmccul

        Re: Crap Software R Us

        Alas, kerberos (not just MS's version, Heimdal as well) is not much better. Before the torches and pitchforks are pulled out, here's what I mean.

        I had to dig into NIST SP 800-53 rev5 compliance with IA-5 (1) on passwords and discovered that NTLMv2 and Kerberos do not salt their password hashes. I then found out that other implementations of kerberos don't salt their passwords either -- or if they do, it is a single fixed salt that is just the name of the realm. The reasons for this that I could find in writing went back to the way authentication worked in kerberos, and it was extremely difficult (I won't say impossible, but it might be) to have a unique, per hash random salt.

        It's also important to remember that NTLM and NTLMv2 are distinct protocols and one shouldn't consider them the same thing. NTLMv1 (aka NTLM) absolutely should be disabled. NTLMv2 is notably better, though per Microsoft it still has vulnerabilities to various man in the middle and hash based attacks. Alas, I've yet to see a functional alternative that isn't full cloud.

    3. Version 1.0 Silver badge
      Unhappy

      Re: Crap Software R Us

      Not too astonishing, all the criminals are working from home and there are a hell of a lot more of them than corporate programmers working to upgrade yesterdays bugs with some new ones. That's not a criticism, it just the way things are going everywhere these days. Our daily malware arrivals are up 50% today but we're just busy blocking them all because the mail server AV was updated yesterday, not today yet.

    4. sgp

      Re: Crap Software R Us

      Well a swiss cheese is a fine security model as long as the holes don't match up. Do you mean a certain swiss bank maybe?

  3. AnotherName
    WTF?

    Update progress?

    Why does every Cumulative Update for Windows versions always go from 0% to 100% fairly quickly, then drop back to 0% and proceed to 20% before sticking there for ages until it finally creeps up to 100% ? It's done this for years now. Why can't they just look at how many files or bytes they have to replace and give percentage progress based on files or bytes copied?

    Add to that, the software that updates/installs and sits at 100% for minutes? It's either done or it isn't.

    1. Anonymous Coward
      Anonymous Coward

      Re: Update progress?

      I described Windows Update as a clunky bag of rusty nails, 15 years old on this site. Nothing has changed, if anything it's worse, because of the whack-a-mole effort required to remove the crap Microsoft Store randomly installs, taking up so many clock cycles. I've had to remove the Xbox Game Bar crap umpteen times, and the only way to do so, is using Powershell.

      Microsoft Photos is still randomly taking up 50% of CPU, through Shell Infrastructure Host, until you kill the process.

      Couldn't care less about 'Moments'.

      1. Calum Morrison

        Re: Update progress?

        If you need to remove all the crud that comes pre-installed with Windows (including Skype and X- Box etc.) you need O&O App Buster. Someone mentioned it on here a few months ago and it's been part of my installation routine ever since. It's just fantastic.

    2. J. Cook Silver badge

      Re: Update progress?

      That's probably the signature verification phase of the install; I know that .NET installers do that all the damn time.

    3. Anonymous Coward
      Anonymous Coward

      Re: Update progress?

      Maybe the backdoors it has to re-establish after yet another 'security problem' has been discovered come from a different location?

      Just curious paranoid..

    4. bootlesshacker

      Re: Update progress?

      Had to reverse a security patch on a server recently that was stuck at 100% complete for over an hour. No other forms of feedback as to what it was doing - at what point do you start to think its gone wrong and hard reboot potentially causing more issues.

      1. John Brown (no body) Silver badge

        Re: Update progress?

        One of the biggest problems I find using Windows is the lack of feedback on what is going on. MS claim it's to make Windows more "friendly" to their poor dumb users by hiding the confusing technical stuff. They really don't think much of their users and pander to the lowest common denominator. I wonder how many of those "poor dumb users" re-boot or power cycle when updates are taking too long and, as stated above, are showing 100% complete while still not returning control to the users?

        After all, they have those annoying notifications for all sorts of useless crap but don't seem to use it themselves for actual useful notifications.

  4. Anonymous Coward
    Anonymous Coward

    Mind blown

    The details of the Outlook flaw are glorious.

    It exploits a property that lets the SENDER of a mail item specify the sound that is made on the RECIPIENTS system when a reminder goes off. All you need to do is set this property to point to a malicious UNC path and collect NTLM hashes.

    Mind is blown.

    https://www.bleepingcomputer.com/news/security/critical-microsoft-outlook-bug-poc-shows-how-easy-it-is-to-exploit/

    1. cyberdemon Silver badge
      Facepalm

      Re: Mind blown

      Arrgh

      What pointy-haired-boss declaring "We really have to beat AOL" thought this would be a good idea?

      1. Anonymous Coward
        Anonymous Coward

        Re: Mind blown

        Presumably somebody, somewhere, a very long time ago asked MS for this functionality so an IMPORTANT PERSON could chivvy their minions with annoying sounds. Nobody considered the internet implications. It then got forgotten about.

    2. John Brown (no body) Silver badge

      Re: Mind blown

      "Mind is blown."

      Wow! Me too after hearing that. More so when you consider how difficult MS have made it for the user to choose their OWN sounds in the first place!

  5. SnOOpy168

    I think it's deliberate by the developers. It helps keep their job, in demand, until their retirement or H-1B visa runs out.

  6. Charlie Clark Silver badge
    Mushroom

    Solution often as bad as the problem

    At least, judging by the problems our sys admins are having with SCEP (certificate management) since problems last year. We've had access completely bricked at least once and certificate deployment broken (used via MMD to provide secure access to mobile devices) more than once. Not only is this inconvenient, it's bloody expensive to track down and fix.

    Ordinarily, this would lead to at least the threat of legal action. But this is software and Microsoft only has to promise to fix things in future updates. And, remember, recent changes in their support policy means they won't answer questions if you're not running the most recent version of the product, even if your version is still officially "supported".

  7. 43300 Silver badge

    As regards updarting Outook, the article gives the impression that this is a pro-active process which sysadmins will need to take. This can't be the case as Office CTR (i.e. all recent versions) upates itself and cannot be controlled through WSUS, etc.

    Incidentally, the problem caused by last month's patch to Windows Server 2022, whereby if Secure Boot was on virtual machines on VMWare 7.x and below, and some bare metal installs (assorted hardware from various manufacturers) appears to have been fixed. VMWare issued an ESXi patch a few weeks back and MS's service health continued to claim that it was just VMWare VMs affected, and that as VMWare had fixed it MS didn't need to do anything - so far as I'm aware they never publicly acknowledged that if could affect bare metal installs too. However, they appear to have quietly fixed it with this month's patch - the affected servers I had (Dell PowerEdge 13G models) will now boot again with Secure Boot turned on.

  8. Steve Davies 3 Silver badge
    Big Brother

    Lookout.... there is a Russian about

    Sorry, could not resit.

  9. M.V. Lipvig Silver badge

    Poor Putin

    After his yearlong run of stupidity he now has to live inside a wall of burly men to keep from being shot. Everywhere he now looks, all he sees is dudes. His life is a sausagefest, and he's the pivot point.

    I think his problem, as all self-infliced problems, is funny. If only his self inflicted problem only affected him though. What he's been doing to other nations next door is an atrocity. He really needs to get it through his head that the USSR is gone and it's never coming back, and former member nations already know what it's like living under Russia's thumb and are NOT going to have that again. Be great to read a headline saying one of his generals popped one in the back of his head before he decides to launch.

  10. First Light

    It's most likely the only way this thing is going to end.

  11. lockt-in

    Can't get sacked for buying Microsoft

    Decades ago there used to be a saying/feeling "You can't get sacked for buying IBM", even where there were better alternatives.

    Outlook is a security risk, being a victim of targeting because it is so popular. Webmail is probably the way to go, but is the sole use of Microsoft webmail good enough? Is webmail generally more secure? This bug sounds like a nightmare that could have been exploited for years? Could be a lot of malware/compromises now!

    ...Outlook is *very* high maintenance compared to Thunderbird in the enterprise, based on enterprise experience with both. But I don't think Thunderbird is better in any other way other than being less popular and therefore less vulnerable.

    Anyway, don't really care, just anticipating an internet worm that ends lots of businesses, going to be interesting. I wonder if Putin is capable of triggering some worm if he is cornered too much.

    1. 43300 Silver badge

      Re: Can't get sacked for buying Microsoft

      Microsoft's webmail is bloody awful! Clunky, difficult to use and with some functionality completely missing compared to Outlook.

  12. Anonymous Coward
    Facepalm

    Bug already been exploited in the wild by miscreants in Russia?

    Yea, shouldn't have used an IP address registered to the FSB /s

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like