back to article Why Microsoft just patched a patch that squashed an under-attack Outlook bug

Microsoft in March fixed an interesting security hole in Outlook that was exploited by miscreants to leak victims' Windows credentials. This week the IT giant fixed that fix as part of its monthly Patch Tuesday update. To remind you of the original bug, tracked as CVE-2023-23397: it was possible to send someone an email that …

  1. that one in the corner Silver badge

    Value to users

    > Barnea wrote that he hoped Microsoft will remove the custom reminder sound feature, saying it poses more security risks than any potential value to users.

    Does anyone have *any* use-case for this feature that would *ever* have had any value to the users of Outlook (the ones receiving the email, at least)?

    So far, the only uses I've come up with are:

    - spamming recipients with advertising jingles

    - creating an online service that'll allow you to anonymously send emails with an attached fart noise as a reminder

    So far, my money is on the second option being the only reason the feature was ever added in the first place.

    1. Neil Barnes Silver badge
      Mushroom

      Re: Value to users

      I wonder whether anyone, anywhere, ever (outside MS, of course) said to themselves, hey, I wish I could get emails with noises as notifications!

      There seems to be an ongoing effort to turn everything into a toy by overloading original functionality with gimmickry. (Though to be fair, I suppose someone might like that kind of thing. Personally, the first thing I do with a computer is turn off all the animation and sound and special effects...)

      1. Anonymous Coward
        Anonymous Coward

        Re: Value to users

        There seems to be an ongoing effort to turn everything into a toy by overloading original functionality with gimmickry

        This. It's almost as if Microsoft doesn't want people to get any work done..

        1. Version 1.0 Silver badge
          Facepalm

          Re: Value to users

          And everything is written these days to add new features and be attractive to users, encouraging them to buy the new version. It seems that nothing is written to be totally safe because that would mean a lot more effort to write the app and then work to verify that it was not hackable. Corporate managers seem to be far more interested in "an upgrade" than offering completely safe functions.

          Hackable applications need to be replaced, users need to buy the new versions so hacking is making everyone (except all of us users) a lot of money these days.

    2. abend0c4 Silver badge

      Re: Value to users

      The problem here is really NTLM which was never intended for life beyond the local LAN (even assuming you could live with its foibles there). If you can persuade any application to open an arbitrary UNC path you run the same risk.

      In order to mitigate that risk, you have to sanitise every possible remote access which is a burdensome, if not infeasible, task and it's something of a miracle that the ones that are still lurking are quite as obscure as this. More obvious ones have included UNC paths in (for example) stylesheet links in HTML documents.

      The whole horror is explained in a little more detail here: https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/

      The idea of a remotely-sourced custom "ping" for an email may be dubious, but the same vulnerability would once have applied to many of the other things that e-mail might have contained (pictures, for example) and they've only been fixed in a long-running game of whack-a-mole. Others will appear until NTLM is finally nuked to lifeless misery.

      1. Paul Crawford Silver badge

        Re: Value to users

        No, the real problem here is that Outlook tries to do anything with an email beyond displaying what was contained within it.

        Emails should be self-contained, non-executable in any sense, and anything referencing the outside world (i.e. beyond the email's actual content) should be clear as to what it is and should have to be explicitly clicked upon to act. Even that is stupid really, as it still opened the door to spammers and advert trackers.

        1. Michael Wojcik Silver badge

          Re: Value to users

          Even "displaying what was contained within it" is an unnecessary vulnerability, since many image-rendering libraries, for example, have had exploitable flaws.

          MIME hugely increased the attack surface of email, and overly-ambitious MIME MUAs ushered in a world of pain.

          Image display ought to be optional, with images not rendered until the user asks them to be. (Outlook has incomplete support for this; I raised an issue about Outlook's rendering of Windows metafile images, which can't be disabled, decades ago on VULN-DEV, for example.) Only local fonts should be allowed, with no font embedding. There's no reason to support audio or video at all. And so on.

    3. Jonathan Richards 1

      Re: Value to users

      > Does anyone have *any* use-case

      I love it when I click on Post a comment and find that someone has already said, rather eloquently in this case, just exactly what I wanted to put in MY comment!

    4. david 12 Silver badge

      "You have mail"

      It's not like this is specific to MS: my phone cues when I get SMS or when an alarm or reminder goes off, and the sound cues are adjustable/selectable and custom.

      The "you have mail" sound was a feature the pre-dates MS's importance in the field, and was included as a feature to match the existing dominant players.

      The reason the existing dominant players implemented sound cues was because people did other things while running the computer in the background. Partly this was just generic: computers ran so slow that you wanted to get on with other things while you waited, and partly this was specific to email: people used email for instant messaging and telephone replacement, and you wanted to get on with other things.

      email is less important to many people than it used to be, and the corresponding use cases are more restricted now.

      1. that one in the corner Silver badge

        Re: "You have mail"

        Sound cues have been around since the the teletype - hopefully that rings an ASCII 7. And we've pretty much always been able to customise them (even if the original OS didn't provide the means): Three BELs and All's Well during your long process. Remember using the 'wall ' command to let everyone know they had five minutes left to finish before the PDP lab was closing for the day?

        Then the noises became more elaborate when home computers came along (SID or the BBC's nicer chip weren't just used in games and Econet existed for passing messages around). Probably at least one person connected their Atari ST up to play poll for email (did KA9Q run on Atari? Something similar did, no doubt) and then send MIDI to a pipe organ; if not, for shame on us all.

        It all went backwards again with the PC speaker (many a TSR died to bring us this message notification), although you could get the floppy drive to make a nice set of noises. Hmm, anyone know if anybody used the different clunks a big old hard drive could make as notification alarms? Then the sound card came along and much rejoicing was heard, followed shortly by "how do you turn off all these noises in Windows?"! Sod "you have mail", that can be useful, but why oh why does the entire office need to know when Fred has closed a window? Use the headphones, Fred!

        What you perhaps missed here is that, unlike all of the above useful and entertaining historical usage of audible notifications, this particular "feature" we have been discussing let's ME choose what sound YOUR system makes! Muah-ha-ha-ha (would be my choice in many cases).

        1. Flightmode
          Pint

          Re: "You have mail"

          > hopefully that rings an ASCII 7

          It started off great and only got better from there.

          Go look up the latest from the Floppotron on Youtube and enjoy this cold one from me. ------------>

    5. Bitbeisser

      Re: Value to users

      > Barnea wrote that he hoped Microsoft will remove the custom reminder sound feature, saying it poses more security risks than any potential value to users.

      But look at the bright side, Microsoft comes out with new icons every other week. Or so....

  2. PRR Silver badge
    FAIL

    Adding slashes to path is an OLD windows vulnerability. 20 years IIRC. Microsoft just can't get it right.

    Aside from the fact that custom reminder-jingles is not worth working on (or supporting!) in the first case.

    1. Michael Wojcik Silver badge

      It's amazing how many Windows developers are unaware of how Windows path handling actually works, for example being unaware of the extended-length / Unicode path prefix ("\\?\"). Apparently that includes many who work for Microsoft.

  3. b0llchit Silver badge
    FAIL

    Security fail by design

    I long for the days when email was plain text. Who thought that auto linking, fetching and executing in mails was a good idea?

    1. Anonymous Coward
      Anonymous Coward

      Re: Security fail by design

      The worst thing is that initial failures (of what are, after all, mere gimmicks) didn't act as a deterrent for all this idiocy. No, they even doubled down on it.

      That turned Microsoft products in the biggest risk vector for any business. At least *that* has remained consistent..

      1. veti Silver badge

        Re: Security fail by design

        Microsoft's problem is - has always been - that it is trying to juggle two mutually contradictory ideas. There's the notion that it's your computer, you should be able to do just about anything you want with it, versus the notion that people who don't want all this functionality should still be able to use their machines safely. IMO, it's to their credit that they've never abandoned the first of these ideas in the face of the near-overwhelming pressure of the second.

        The practical kludges that they've come up with, in an effort to reconcile these two, have often been... less than perfect. But at least they're trying, which is more than anyone else in the market is doing.

        1. that one in the corner Silver badge

          Re: Security fail by design

          > two mutually contradictory ideas...

          The problem here is the third mutually contradictory idea: the notion that it's your computer, and somebody else should be able to do what they want with it.

          Did you miss that the intended feature (!) is that the *sender* of the message was *meant* to be able to choose what noise *your* machine would make?

          Please tell us that you don't really mean to say that you admire their adding such a feature in the first place?

          1. Jellied Eel Silver badge

            Re: Security fail by design

            Please tell us that you don't really mean to say that you admire their adding such a feature in the first place?

            Yep. It probably started out something like this..

            "Hey, wouldn't it be funny if we got Bob's PC to make a fart sound every time we sent him an email!"

            "Yeh, but he blocks attachments and embedded media"

            "Not a problem, we can just use NTLM to play it from our server!"

            Then a proposal to add an exciting new feature that would allow CEO's emails to play "Hail to the Chief" every time they send a message. Or facilities could set a siren as a notification when they mail everyone that the building's on fire. Or it could be used to play a warning tone when tornadoes, tsunamis or ICBMs are imminent. Or advertisers could use it to alert customers about exciting new offers. It'll be awesome!

            Sadly, nobody told the requestors to FOAD, or fired them, so lo, it came to pass..

          2. veti Silver badge

            Re: Security fail by design

            No, that's the result of the two balls I mentioned colliding.

            Of course you should be able to send links to people. You should be able to do anything. And you can't expect naive users to make informed decisions about what to do with those, so the system has to have some mechanism for making that decision by default. And it can't just be "reject or ignore anything", because then people will just dump your platform in favour of one that "works better" (= "has more features").

            So they came up with this rather stupid kludge.

            The fix, IMO, has to involve factoring the domain of the remote system into the credential hash, so that the hash sent to a third party won't be the same as that used on a trusted system. But I don't know what that would require.

          3. Anonymous Coward
            Anonymous Coward

            Re: Security fail by design

            "The problem here is the third mutually contradictory idea: the notion that it's your computer, and somebody else should be able to do what they want with it."

            For Microsoft that's not contradictory at all: *They* do that all the time, on daily basis and major changes on every update. They literally do what ever they want to "your" computer.

            That should tell anyone it's *not their* computer: It's a Microsoft owned computer they are allowed to use. No more, no less.

        2. Anonymous Coward
          Anonymous Coward

          Re: Security fail by design

          "There's the notion that it's your computer, you should be able to do just about anything you want with it"

          Microsoft butchered that notion somewhere between XP and Windows 10: What you have now is a fat client for actual servers in Redmont and you can change the screen background, on some versions of W10. None on W11.

          It is *not* your computer and you can't do anything not MS approved with it. That's the reality now: Back to X-terminals from 1990s.

          1. James O'Shea

            Re: Security fail by design

            Hmm. So... you can't change the screen background on Win11, eh? Golly gee whilikers, I guess that the one and only Win 11 machine around here isn't really a Win11 machine. That, or Microsoft is shipping machines with the company logo as one of the allowed wallpapers. Hmm. Let me see, can I change that? Settings/Personalize/Backgrounds. Hmm. Now the wallpaper is the original Apple six-color apple.

            There's lots of things wrong with Win11. There's no reason to make stuff up. Especially stuff which can be demonstrated as total bollocks in under 30 seconds.

    2. that one in the corner Silver badge
      Headmaster

      Re: Security fail by design

      > email was plain text

      Well, Ameol is available (for Windows, at least) and does a good (enough) job of pulling legible text out of HTML; and if I want to see an oversized email as the sender thinks it should look it is only a few quick clicks to save it and open in a browser (where all the usual blockers can work).

      And the confusion on people's faces when you reply and they can't figure out why it looks like that :-)

      1. b0llchit Silver badge

        Re: Security fail by design

        My thunderbird is set to "Message body as plain text" and I reply inline.

        1. that one in the corner Silver badge

          Re: Security fail by design

          Yeah, ok, Thunderbird is probably more likely to be acceptable than Ameol (if only because the latest builds of TB occurred, you know, this century).

          Pity one has to actually look for and manually set the plain text option though (it wasn't the default when I set it up on SWMBO's laptop).

          1. Anonymous Coward
            Anonymous Coward

            Re: Security fail by design

            "if only because the latest builds of TB occurred, you know, this century."

            More or less irrelevant;: It doesn't have holes and it works. What do you want, more 'features'? I'm happy they haven't fu**ed it up like they did with Firefox.

    3. captain veg Silver badge

      Re: Security fail by design

      There are two different problems here.

      One is that those of us having a clue wish to use a secure email client but are forced to try to make it work with Exchange.

      The other is that the BOFH's can't understand that some of us in the first group have succeeded and so their assumption of universal Outlook usage is broken.

      It would be nice* if there were a version of Outlook which only talks to trusted Exchange server(s) and hands off to a real SMTP client for everything else.

      -A.

      *It would be better still that Exchange implement BY DEFAULT standard protocols that any client could talk to.

      1. Anonymous Coward
        Anonymous Coward

        Re: Security fail by design

        *It would be better still that Exchange implement BY DEFAULT standard protocols that any client could talk to.

        Not going to happen because:

        (a) that would allow competing products to invade the one area where Microsoft keeps users locked in with

        (b) that would allow competeing products show up Microsoft's deficient quality.

        Not a chance. Unless they're forced, of course, and then they'll play the "let's pretend to comply with standards while in reality bending the rules to breaking point" game they've played with Kerberos, OOXML and ODF.

    4. Michael Wojcik Silver badge

      Re: Security fail by design

      Who thought that auto linking, fetching and executing in mails was a good idea?

      Borenstein and Freed started us down this particular crumbling cliffside path.

      Admittedly, RFC 1341 was inspired partly by the need to support character sets outside ASCII, which is a legitimate problem. And 7.4.2 manages to list a surprising number of security issues with "active" content, for 1992; unfortunately it's clear few implementers gave this much thought.

    5. Bitbeisser

      Re: Security fail by design

      Those days fell by the wayside when someone thought it was a good idea to use a web browser to read and write emails. WebMail started to screw it up for all of us, ever since...

  4. Anonymous Coward
    Anonymous Coward

    Too early for Christmas?

    "Jingle ballsup, jingle ballsup, jingles they will slay, oh what fun the ransom is, in bitcoins you will pay"

    1. TimMaher Silver badge
      Coat

      Re: Too early for Christmas?

      Can you e-mail me that?

  5. CowHorseFrog Silver badge

    Reminds of me of many of the places ive visited during my travels, where developers never test arguments and only unit test the happy case. THey also never write meaningful messages because why bother stuff never fails.

    1. Anonymous Coward
      Anonymous Coward

      The first stage of testing is checking that the software works.

      The second stage of testing is trying very hard to break it.

      Inexperienced software testers often skip the second stage, because management normally desperately wants to release it at the end of the first stage.

      1. Anonymous Coward
        Anonymous Coward

        "Inexperienced software testers often skip "

        .... read: Project managers as it a) costs money and b) delays finishing and c) might actually find problems.

        At that point testers are not even asked: "We have a trade show at x and this will be ready by then."

  6. Grunchy Silver badge

    Is this a thing in Thunderbird?

    I use Thunderbird because I don’t care about new things with arcane psychurity holes built-in. But on second thought, is this possibly also a thing on Thunderbird?

    (To be honest I’m so far behind the curve I’m still on Seamonkey, because I truly just don’t care about new things with all their unwanted psychurity holes they are riddled with. Also: they ain’t anybody left in the world trying to hack my Win95, let’s be perfectly honest about it. Ain’t even one Win95 hacker left on the planet. They all died out!)

  7. jlturriff

    Query for Microsoft

    Dost thou even test thine patches?

    1. Anonymous Coward
      Anonymous Coward

      Re: Query for Microsoft

      You're a bit behind the curve. They got rid of their testers as they discovered they could use their users for that. After all, the users don't have a choice.

  8. Pietertje

    So a while ago MS said using a print server was a security risk. Now playing a notification via outlook is too. What's next: showing something on the screen could harm the cloud? Moving your finger towards the on/off button triggers a backdoor? Will windows 13 come with a black cat? Soooo many questions...

    1. Anonymous Coward
      Anonymous Coward

      It's easily summarised: anything provided* by Microsoft.

      * "Provided" because they also butcher the products they buy in such as Visio

  9. ComputerSays_noAbsolutelyNo Silver badge
    Mushroom

    Microsoft - bringing cross-site scripting (XSS) vulns to the OS near you

    Who in their right mind thinks such a feature would be a good idea?

  10. captain veg Silver badge

    "the second patch is not for Outlook but for the underlying MSHTML platform in Windows"

    Ah. So we are still paying for Internet Explorer's "integration" with Windows.

    I seem to remember MS announcing some years ago that Outlook would no longer render HTML using Trident because it was so insecure, and would instead, completely bizarrely, use Word's utterly brain dead engine instead. Better stupid than pwned, presumably. In consequence anyone determined to inflict HTML emails on us has to encode them using a dialect of HTML from about 30 years ago if they want to have the slightest chance of being readable in most people's email client.

    I despair. Just send plain text. Save the planet.

    -A.

    1. ComputerSays_noAbsolutelyNo Silver badge

      "Ah. So we are still paying for Internet Explorer's "integration" with Windows."

      More like technical ransom than technical debt

  11. david 12 Silver badge

    Using Word to render email in Outlook was because using Trident to render email was "unfair competition". So MS used Word instead.

    This was a disappointment to people who wanted to render email using Firefox, including those in my organization who took the view that adding another browser, shell, telnet client, remote access client, etc -- or two or three of each -- to our servers, and integrating them into process, made our systems more secure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like