The flaw is a client-side Microsoft Outlook attack that involves modifying victims’ Outlook client homepages for code execution and persistence. The Outlook Home Page feature allows for customisation of the default view for any folder in Outlook.
According to a blog post by security researchers at FireEye, this configuration can allow for a specific URL to be loaded and displayed whenever a folder is opened. This URL is retrieved either via HTTP or HTTPS - and can reference either an internal or external network location. When Outlook loads the remote URL, it will render the contents using the ieframe.dll, achieving remote code execution that persists through system restarts.
Late last month, uniquely automated phishing document was uploaded to VirusTotal. The sample, "TARA Pipeline.xlsm" (MD5: ddbc153e4e63f7b8b6f7aa10a8fad514), launches malicious Excel macros combining several techniques, including execution guardrails to only launch on an unnamed victim domain and character substitution obfuscation.
Researchers said that with a reactive implementation of CVE-2017-11774 using the Outlook\WebView\Calendar\URL registry key, an attacker-controlled home page payload hosted in Azure storage blobs (*.web.core.windows.net), and most importantly – a function to walk through the registry and reverse the CVE-2017-11774 patch for any version of Microsoft Outlook.
"This malicious Excel file appears to be a weaponised version of a legitimate victim-created document - as an earlier non-malicious version was also identified in the public malware repository – and this is a technique also becoming more common with both authorised and unauthorised intrusion operators," said researchers.
Kelvin Murray, senior threat researcher at Webroot, told SC Media UK that although these attacks are an example of Microsoft security patches being rolled back or bypassed, they shouldn't dent anyone’s trust in updates or patching in general. Updating is a core tenant of cyber-security on any system.
"Expect to see Microsoft address this issue properly in future updates to outlook but until then hardening your registry or your environment via GPO with the exploit researcher guidelines will prevent further intrusions on any system," he said.
"Fortunately, it is now possible to give software a sort of digital immune system. Web applications? and APIs can be provided with defences that enable them to identify their own vulnerabilities and? prevent them from being exploited. Once teams see exactly where they are weak and how attackers? are targeting them, they can quickly clean up their house. Ensuring that they (and those using their? software) are protected," he said.