Microsoft closes leaks in Outlook and DNS client
Microsoft has patched more than 60 vulnerabilities in its products during a new edition of patch Tuesday. These include a bug in Outlook that could reveal the contents of emails and a leak in the Windows DNS client that allowed code execution.
The Outlook 2016 bug, identified as CVE-2017-11776, was described in a post from Austrian security company Sec Consult. The company’s researchers write that the bug caused an email encrypted with S/MIME to be sent in both encrypted and unencrypted form. This allows an attacker who intercepts the mail to see its contents. The problem is said to have occurred with emails sent using plain text formatting for at least the past six months. By default this is html. When using Exchange, this only happens up to the first hop, with smtp, the email remains unencrypted throughout the entire journey, the company said.
Security firm Bishop Fox has published an analysis of the vulnerability in dnsapi.dll with attribute CVE-2017-11779. The vulnerability can be exploited because an attacker, for example in a man-in-the-middle position, sends a malicious DNS response to a client. In this way, he can remotely execute arbitrary code within the application that uses dns, for example the browser. The vulnerability is present in Windows 8 and 10 and versions between Windows Server 2012 and 2016.
A third leak that Microsoft has patched, known as CVE-2017-11826, concerns a zeroday in Office that the Redmond company says is being actively used by attackers. Because an attacker uses a special file, he can remotely execute code on a victim’s system, for example by sending it via e-mail. If the victim has administrative rights, the attacker could take over the system in question, Microsoft warns. The vulnerability is related to the way Office handles memory objects. The vulnerability is present in Word 2016 and older versions, among others. The Chinese security company Qihoo 360 published an analysis of the leak at the end of September.