There’s a security hole in Internet Explorer, the Windows 10 Edge browser and Microsoft Outlook that Microsoft knows about but apparently won’t fix.
It’s a long standing bug called Xml eXternal Entities (XXE) but it’s become news again because hackers are using it to grab Microsoft account logins. Microsoft encourages people to use a MS Account to login to Windows 8, 8.1 and 10 plus other Windows devices. That has some benefits for users but increases the risk if the Microsoft Account details are stolen.
XXE used on a web site can trick Internet Explorer or Edge (the Windows 10 browser) into copying usernames and encrypted passwords to the hackers. Then the hackers have to decrypt the passwords, which is relatively easy if the password is simple (ie too short and without variation of characters).
Secure browsers should not allow access to the local computer or file shares.
The same hack can be sent to you via an email viewed in Outlook. The malicious email includes a link to an image, getting that image from the Internet triggers the hack. It’s yet another reason why linked images are blocked by default in Outlook.
Weasel Words from Microsoft
This all sounds serious but Microsoft doesn’t seem concerned. This was the response they gave to ZDnet:
“We’re aware of this information gathering technique, which was previously described in a paper in 2015. Microsoft released guidance to help protect customers and if needed, we’ll take additional steps,”
Microsoft resorts to weasel words from the PR handbook. It’s not an exploit used to gather up usernames and passwords, it’s merely an ‘information gathering technique’. In the same way that a bank robbery is a ‘funds accumulation strategy’!
Protect yourself (aka mitigation)
There are some ways to protect yourself. Some of the recommendations from experts aren’t that practical so we’ve added our own thoughts on what you can do. Many of these suggestions are good ‘safe computing’ practice, not just for the XXE exploit.
- Use Google Chrome or Firefox browsers. They are generally considered better web browsers anyway. If you don’t already use one of these browsers, consider switching. Office Watch prefers Google Chrome but know others of considerable worth who swear by Firefox.
- Do NOT use Internet Explorer or even Edge in Windows 10.
- Don’t use Microsoft Outlook. This isn’t really a practical option for many of us.
- There are ways to reduce the risk without dumping Outlook.
- Make sure incoming emails don’t display images automatically. Blocking images is the default in Outlook with many good reasons.
- Your mail host should have good filters for malicious emails so they don’t reach your computer at all. No filter is perfect (hence blocking images) but most nasty emails should be caught.
- Don’t use your Microsoft Account to login with Windows 8, 8.1 or 10. Again, this might not be a practical option. You have to balance the small risk of being hacked against the benefits of a common MS Account login. Microsoft makes you go through hoops to setup a local account (instead of a MS Account) login in Windows 10, but it is possible.
- Definitely setup two-Factor Authentication for your Microsoft Account. If someone does get your MS account login, they don’t be able to use it without the external verification from you. Windows 10 for Microsoft Office users has an entire chapter devoted to the setup and use of two factor authentication.
- Make sure you have a strong, complex Microsoft Account password. Use upper and lower case, numbers and some other characters. A strong password is harder for the hackers to decrypt.
