From Kaspersky’s blog at usblog.kaspersky.com We’ve learn that we could get infected just by receiving an email if you’re using Outlook as those precautions won’t protect you from the BadWinmail vulnerability. You don’t need to click or open anything to become infected. You just receive one email – and that’s it. In fact, you don’t even need to open this email.
How’s that possible?
If you’re familiar with Microsoft Office, you probably know that objects can be embedded in MS Office files. Not any objects, but the list is quite long. This is called OLE technology, or Object Linking and Embedding.
It turned out, that this technology works not only in DOC, XLS and so on, but in Outlook email as well. It also turned out, that the above mentioned objects list besides generic MS Office stuff, includes such cool things as Adobe Flash objects.
Do you know why cybercriminals love Flash so much? Because there are lots of vulnerabilities in Flash. Some of these bugs are zero-days, which means they’re unpatched. These vulnerabilities can be exploited to do some things to your PC you definitely won’t like.
It is a well known issue, and in order to fight it, most of developers do the same simple thing: they allow Flash content to be run in their software (for example, browsers) only in so-called ‘sandboxes’. Malicious code can do anything inside these sandboxes, even start some fancy cyber-apocalypse.
But the idea is, that it can’t escape the sandbox and thus won’t affect anything outside it, so your files won’t be corrupted. Well, at least it is designed to be like that — sometimes this trick doesn’t work, but that is another story for another day. It is definitely not the case here.
If you’re waiting for the third ‘it turned out,’ here you go. It turned out, that Outlook doesn’t use this type of sandboxes trick for potentially dangerous objects and runs everything in normal mode. It means that malicious code in embedded objects can act like any other software you installed on your PC.
The good news is Haifei Li had reported this bug to Microsoft and the company fixed this issue on December 8. The bad news is, people who are not used to updating their software quickly still have this vulnerability. And many of them will have it for weeks, months, or even years.Since the report was published openly, lots of cyber-criminals will definitely try to use this vulnerability to infect thousands or even millions of PCs through this. And if you have ever wondered, is it really so important to always update all your software immediately and to use security software, I guess, now you have new good reasons to answer this question in the affirmative.