=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Denial of Service in Microsoft Outlook 2007-2013 Vulnerability Type: Denial of Service=20 CVE: - Impact: Low CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Status: Unpatched Credits: Lubomir Stroetmann, softScheck GmbH http://www.softscheck.com =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Description ----------- softScheck has identified a Denial of Service vulnerability in Microsoft Ou= tlook 2007-2013. A remote attacker can send a plaintext email containing an= XML bomb [1] as the message body, causing Outlook to freeze while opening = the email. This forces the user to terminate the Outlook process. In the de= fault Outlook configuration, in which email contents are displayed in a rea= ding pane in the main window, the impact is more severe: Outlook will freez= e while starting and will not be able to start anymore, since it tries to o= pen and display the email during startup. To resolve the issue, Outlook nee= ds to be started in safe mode and the email needs to be deleted. The Outloo= k security setting "Read all standard mail in plain text" is not an effecti= ve protection against this vulnerability; Outlook will still freeze when op= ening the email. An XML bomb consists of a valid XML Document Type Definition (DTD) containi= ng several nested entities, each referencing the preceding one. When the em= ail is opened, Outlook freezes while trying to expand all nested entities i= n memory, which causes the Outlook process to steadily increase in RAM usag= e. This type of attack has been reported as early as 2003 and was covered i= n-depth in 2009 in a Microsoft publication [2]. After finishing the expansi= on, Outlook eventually returns to a stable state. This can take days and du= e to the exponential growth of the task it can be expanded to take even lo= nger by adding further nesting.=20 Other inputs in Office applications are also affected since they use the sa= me Office XML format parser (e.g. pasting an XML bomb into a Microsoft Word= document). Vulnerable versions ---------------------- - Outlook 2007 - Outlook 2010 - Outlook 2011 for Mac - Outlook 2013 All tested with latest patch level. Impact --------- The attack is documented publicly and easy to exploit. The overall impact i= s low. Mitigation ----------- softScheck reported the vulnerability to Microsoft. Microsoft confirmed the= issue, however, it does not meet their definition of a security vulnerabil= ity. Microsoft promises to address the issue in a future version of Outlook= .. Effective protection against the vulnerability can be achieved by adding a = rule blocking XML DTD Entities ("<!ENTITY", case-insensitive) to your spam = filter. Creating an Outlook rule to permanently delete messages containing = "<!ENTITY" also mitigates the attack.=20 Timeline -------- 2014-02-26 Contacted Microsoft Security Response Center 2014-02-28 Contacted CERT/CC 2014-03-20 Contacted Microsoft Germany 2014-04-03 Public release of advisory About softScheck ------------------ softScheck regularly conducts IT Security Audits of software and hardware. = We offer "Security Testing as a Service" in the form of a complete process = in order to raise the security level of our customers' software. softScheck= provides security consulting in all aspects of the ISO 27000 series in add= ition to coaching and forensics. References ------------ [1] http://en.wikipedia.org/wiki/Billion_laughs [2] http://msdn.microsoft.com/en-us/magazine/ee335713.aspx Lubomir Stroetmann softScheck GmbH http://www.softScheck.com Bonner Str. 108, 53757 Sankt Augustin Tel: +49 (2241) 255 43 - 0 Fax: +49 (2241) 255 43 - 29 PGP key ID: 0x626C2EDA7FA4E9AA PGP fingerprint: 14D4 6FA7 CE13 D20F 6031 5269 626C 2EDA 7FA4 E9AA