December 17, 2015

How your PC can be infected with just one email you didn’t actually read

News Threats

We’ve told you this time and time again: never click suspicious links, never open files received from unknown sources, always delete mail from untrusted senders. While all of these pieces of advices are good, they can’t help you if you’re using Outlook as those precautions won’t protect you from the BadWinmail vulnerability. You don’t need to click or open anything to become infected. You just receive one email – and that’s it. In fact, you don’t even need to open this email.

badwinmail-featured

How’s that possible?

If you’re familiar with Microsoft Office, you probably know that objects can be embedded in MS Office files. Not any objects, but the list is quite long. This is called OLE technology, or Object Linking and Embedding.

It turned out, that this technology works not only in DOC, XLS and so on, but in Outlook email as well. It also turned out, that the above mentioned objects list besides generic MS Office stuff, includes such cool things as Adobe Flash objects.

Do you know why cybercriminals love Flash so much? Because there are lots of vulnerabilities in Flash. Some of these bugs are zero-days, which means they’re unpatched. These vulnerabilities can be exploited to do some things to your PC you definitely won’t like.

It is a well known issue, and in order to fight it, most of developers do the same simple thing: they allow Flash content to be run in their software (for example, browsers) only in so-called ‘sandboxes’. Malicious code can do anything inside these sandboxes, even start some fancy cyber-apocalypse.

But the idea is, that it can’t escape the sandbox and thus won’t affect anything outside it, so your files won’t be corrupted. Well, at least it is designed to be like that — sometimes this trick doesn’t work, but that is another story for another day. It is definitely not the case here.

If you’re waiting for the third ‘it turned out,’ here you go. It turned out, that Outlook doesn’t use this type of sandboxes trick for potentially dangerous objects and runs everything in normal mode. It means that malicious code in embedded objects can act like any other software you installed on your PC.

The problem does not end with those three tidbits of bad news. Outlook is so obliging that it opens the newest email before you do it. Thus if malicious email with BadWinmail exploit attached is the newest in your Inbox, it is executed immediately when you start the Outlook.

Haifei Li, security researcher who has discovered the bug, created proof of concept of a possible attack exploiting the BadWinmail vulnerability, as he called it. He describes it in surprisingly simple words in his research.

He even created this relatively short video, which perfectly explains the core idea of how this vulnerability actually works:

To understand why it is really bad, just imagine some bad guy who instead of opening harmless Calculator app runs ransomware on your PC.

The good news is Haifei Li had reported this bug to Microsoft and the company fixed this issue on December 8. The bad news is, people who are not used to updating their software quickly still have this vulnerability. And many of them will have it for weeks, months, or even years.

Since the report was published openly, lots of cyber-criminals will definitely try to use this vulnerability to infect thousands or even millions of PCs through this. And if you have ever wondered, is it really so important to always update all your software immediately and to use security software, I guess, now you have new good reasons to answer this question in the affirmative.