Microsoft’s half-hearted attitude to security matters is demonstrated yet again with a new patch for Outlook. The patch has taken over a year to be released and doesn’t properly block the security lapse.
It all started back in November 2016 when Microsoft was informed of a problem with RTF documents with an external link to a hacked OLE object. That combination could bypass some of Microsoft’s security features and allow access to a computer. All it needed was a preview of the malicious email, no need to open the message or click on a link.
Will Dormann has a good explanation of the original problem and the later troubles that have been uncovered.
In early 2017 there was a known security bug in Outlook where a malicious email could crash Windows (not just Outlook) with the dreaded BSOD (Blue Screen of Death). The email only had to be previewed in Outlook and the computer crashed. Luckily, this exploit was patched before it was used publicly.
Independent investigators, not Microsoft, kept digging and found more troubles. That brings us to the latest bug fix from Microsoft.
April 2018 incomplete fix
A few days ago, Microsoft released patches for Office 2007 through Office 2016 under the reference CVE-2018-0950. According to Redmond the bug “could potentially result in the disclosure of sensitive information to a malicious site.”.
But the patch is horribly incomplete.
It only stops the hack working from a preview of the email. If the reader can be tricked into clicking the malicious link, then computer security is still breached.
As Will Dormann says “… even with this patch, a user is still a single click away from falling victim to the types of attacks described above.”.
And this half-baked patch is what Microsoft offers after more than a year’s notice of the main problem. They seem only interested in fixing the immediate problem not digging deeper to fix the underlying bug.
What to do?
The CVE-2018-0950 is better than nothing. Granted, it’s not a lot better but you should still install the patch.
Always be wary of links in emails. Make sure the link points to a legitimate web site by checking the underlying link in the tooltip not just what’s visible in the email text.