Microsoft Outlook 2007 - 2013 Denial Of Service

2014-04-04 / 2014-04-06
Credit: Lubomir
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-399

CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

================================================ Denial of Service in Microsoft Outlook 2007-2013 Vulnerability Type: Denial of Service CVE: - Impact: Low CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Status: Unpatched Credits: Lubomir Stroetmann, softScheck GmbH ================================================ Description ----------- softScheck has identified a Denial of Service vulnerability in Microsoft Outlook 2007-2013. A remote attacker can send a plaintext email containing an XML bomb [1] as the message body, causing Outlook to freeze while opening the email. This forces the user to terminate the Outlook process. In the default Outlook configuration, in which email contents are displayed in a reading pane in the main window, the impact is more severe: Outlook will freeze while starting and will not be able to start anymore, since it tries to open and display the email during startup. To resolve the issue, Outlook needs to be started in safe mode and the email needs to be deleted. The Outlook security setting "Read all standard mail in plain text" is not an effective protection against this vulnerability; Outlook will still freeze when opening the email. An XML bomb consists of a valid XML Document Type Definition (DTD) containing several nested entities, each referencing the preceding one. When the email is opened, Outlook freezes while trying to expand all nested entities in memory, which causes the Outlook process to steadily increase in RAM usage. This type of attack has been reported as early as 2003 and was covered in-depth in 2009 in a Microsoft publication [2]. After finishing the expansion, Outlook eventually returns to a stable state. This can take days and due to the exponential growth of the task it can be expanded to take even longer by adding further nesting. Other inputs in Office applications are also affected since they use the same Office XML format parser (e.g. pasting an XML bomb into a Microsoft Word document). Vulnerable versions ---------------------- - Outlook 2007 - Outlook 2010 - Outlook 2011 for Mac - Outlook 2013 All tested with latest patch level. Impact --------- The attack is documented publicly and easy to exploit. The overall impact is low. Mitigation ----------- softScheck reported the vulnerability to Microsoft. Microsoft confirmed the issue, however, it does not meet their definition of a security vulnerability. Microsoft promises to address the issue in a future version of Outlook. Effective protection against the vulnerability can be achieved by adding a rule blocking XML DTD Entities ("<!ENTITY", case-insensitive) to your spam filter. Creating an Outlook rule to permanently delete messages containing "<!ENTITY" also mitigates the attack. Timeline -------- 2014-02-26 Contacted Microsoft Security Response Center 2014-02-28 Contacted CERT/CC 2014-03-20 Contacted Microsoft Germany 2014-04-03 Public release of advisory About softScheck ------------------ softScheck regularly conducts IT Security Audits of software and hardware. We offer "Security Testing as a Service" in the form of a complete process in order to raise the security level of our customers' software. softScheck provides security consulting in all aspects of the ISO 27000 series in addition to coaching and forensics. References ------------ [1] [2] Lubomir Stroetmann softScheck GmbH Bonner Str. 108, 53757 Sankt Augustin Tel: +49 (2241) 255 43 - 0 Fax: +49 (2241) 255 43 - 29 PGP key ID: 0x626C2EDA7FA4E9AA PGP fingerprint: 14D4 6FA7 CE13 D20F 6031 5269 626C 2EDA 7FA4 E9AA


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top