Reflecting on the “Enterprise Killer” aka BadWinmail or letterbomb…
Was it all hype or was it actively in the wild?
Have I already been compromised by it?
Which came first – the patch or the exploit?
Did patching protect me or am I still vulnerable?
What else can I do?
Are you still asking yourself questions like these when you hear of the latest threats, and frequently doing the due diligence fire drills? While it’s a reactive and often necessary practice, it can be detracting from the proactive job we intend to be doing.
Let’s review the risk.
Haifei Li, a Security Researcher at Intel, discovered this attack vector naming it BadWinmail, and wrote a paper to disclose this to the security community on December 15th.
To summarize the paper, the attack uses Microsoft Outlook’s Object-Linking and Embedded technology (OLE) integration to bypass it’s built-in email sandbox and can be executed by the OS by simply reading the email, either by selecting it or AUTOMATICALLY if it is at the top of your box and it is previewed. NOTE: It does not require a user to click on any links inside the email (a simple preview of the message will trigger it)! Thus, all the employee awareness programs won’t be a mitigating control in this case. Once the embedded code is executed it has the potential to self-propagate inside your company and send emails to anyone in your address book.
Microsoft identified that this vector will “allow remote attackers to execute arbitrary code via a crafted email message processed by Outlook, aka “Microsoft Office RCE Vulnerability.”” (Remote Code Execution). That’s pretty much the worst-case weakness.
And in time with Patch Tuesday (the 2nd Tuesday of the month), Microsoft released a patch for this on December 8th, 2015, just 1.5 months since it was privately reported to them by Haifei.
Who is (or was) vulnerable?
Pretty much anyone who is (or was) running Outlook (or using Word) on Windows since 2007 – before applying the latest patches, that includes; Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2016, Word 2013 RT SP1, and the Office Compatibility Pack SP3.
SINCE 2007… 8 years is actually a pretty big window of opportunity IF there was an exploit in the wild. Even now, there are occurrences being actively attempted and most AV software is not catching it (only 3 of 54 AV engines according to VirusTotal as of 12-28-2015). This is because attackers are smart enough to change the file types with each attack to make the hash different, thus AV is not enough to catch leading malware.
As we all are aware, getting the patches applied is always inconsistent and has delays based on endpoint owners and administrators; there are always unpatched exceptions for months. Personal and enterprise endpoint targets will continue to be very concerned about this attack vector for a while. This vulnerability (CVE-2015-6172) has a base score of 9.3 of 10 and an impact score of 10. That means solid internal processes to roll it out, track that it has been applied, and do our vulnerability scans for assurance.
Then, will we feel pretty confident our actions will address this “new” threat and our enterprises are once again safe? Are exploits only in the wild now because attackers typically wait to reverse engineer the latest patches to target the low-hanging fruit? There are many attackers that take the “easy” path because they know about the patching gap. And yet, it turns out that this vector is not that new as many are touting. In 2006, Microsoft released a patch that addressed a very similar issue (CVE-2006-0002) to address the OLE and TNEF decoding vulnerability for Outlook versions and Exchange susceptible since 2000, which was essentially a Remote Code Execution problem then too. Even just the slightly more curious attackers (not to be confused with the dedicated attackers and malware developers who are constantly looking for weaknesses on their own), could have been decompiled and re-engineered that patch since 2006 and may have found this issue that Haifei recent discovered and disclosed.
How long have we really been at risk?
You already know this answer… we are constantly at risk and just because a new disclosure comes out and a new critical patch is released to address a new CVE that we immediately apply to our entire vulnerable landscape, does not mean that we locked up the hen house with the fox outside.
We need better ways to protect and detect because we are always at risk and do not even know yet what to fully prevent.
What can you do?
Patch and ensure that systems are patched.
For those unable to patch or have not yet applied the patches, Microsoft recommends the following workarounds:
Disabling the message preview window for Outlook to prevent malicious messages from being automatically opened
Changing settings to view all e-mails as plain text
Disable Flash ActiveX control with an Office COM kill bit in the registry (it was confirmed with this fix that Outlook will not load Flash content anymore)
Contact Latus, we offer the following:
A leading endpoint malware prevention solution from one of our partners that does not rely on signatures or the latest CVEs, that will detect and stop malware before it becomes news
An endpoint management solution to manage patches and make registry changes (or detect them) throughout your infrastructure with ease
A Compromise Assessment Service where we drop in a security appliance to your DMZ for 2-3 weeks to provide you with clear data to let you know the safety of your enterprise
Please contact us at 888-GO-LATUS or visit our web site (www.latussolutions.com) for more information on how we can help you in the short term and long term.