Iranian hackers attack using old Outlook security bug


The US government has issued a new warning about malware which takes advantage of a security lapse in Outlook for Windows, which was patched over 18 months ago.

The warning generated a lot of scary headlines, especially since there’s suspect Iranian involvement.  If you’ve been taking standard precautions and updated your Office for Windows there’s little to worry about in these latest warnings.

What you need to know

  • The Outlook vulnerability being used in these attacks was patched by Microsoft in October 2017.
    • Yes, 2017 – about 20 months ago.
  • Outlook 2016, 2013 and 2010 for Windows are affected.
    • Outlook 365 for Windows is OK if updated in the last year (which is almost certainly true)
    • Outlook 2019 for Windows is OK because the security hole was fixed long before the first release.
  • If you’ve updated Office for Windows any time in the last year (let’s say) – you’re protected from attacks of this type.
  • That’s assuming any emails with infected documents get sent to your mailboxes and make it past anti-virus checks.
  • Many attacks are targeted and could be stopped by using Two-Factor Authentication see Myths about Two-Factor Authentication.

Background

Back in 2019 SensePost discovered a memory vulnerability in Outlook which allowed code to run in Windows to infect a computer.   It’s trigged via an email attachment which is opened by Outlook.

SensePost notified Microsoft who patched the bug in their October 2017 dump of security related updates.  At that time, the bug wasn’t being used by hackers and the threat was theoretical.

The security lapse in Outlook has the catchy name CVE-2017-11774 – Microsoft Outlook Security Feature Bypass Vulnerability.

Once the security hole in Office is public knowledge, hacking groups work to take advantage of it.  They know that many organizations don’t update their software or use older, unprotected releases. There are plenty of vulnerable computers out there, ripe for infiltration.

In 2018, an Iranian state-sponsored group APT33 or Elfin stated pushing out attachments that could infect unprotected Outlooks.

Fast forward to 2019.  Attacks using CVE-2017-11774 continue, often combined with disk-erasing Shamoon malware.  They’ve increased in frequency over the last few months.

US Cyber Command only investigates attacks by nation states like Iran, North Korea, China and Russia. The domestic US Department of Homeland security issued a related warning just over a week ago.

While both warnings are very vague it seems that Iranian backed groups have increased their attacks on US based organization (government and business) since the recent increase in tensions around the Strait of Hormuz.

Many attacks are targeted to individuals or organizations (aka ‘spear fishing’) rather than the ‘scatter gun’ approach of traditional phishing attacks.

In short

If you’re being cautious about incoming emails and updating Windows/Office regularly then your risk of infection is very low. Beyond those standard precautions, there’s nothing special or new required by individuals or organizations

Office for Windows should get updates regularly, at least every 3-6 months. Microsoft says updates should be installed quickly but their spotty reliability means that can be a risky proposition.


Want More?

Office Watch has the latest news and tips about Microsoft Office. Independent since 1996. Delivered once a week.