The unpatched security vulnerability allows attackers to use a Windows code-sharing feature to trigger malware using formatted Outlook messages
An as yet-unpatched Windows security hole could allow attackers to trigger the execution of malware using code built into Outlook emails, researchers have warned.
The vulnerability first surfaced earlier this month when researchers found Microsoft’s Dynamic Data Exchange (DDE), which is used to for transmitting messages and code between applications, could also allow office documents to trigger malware without the use of macros.
DDE has been built into Windows since 1993, but two weeks ago Sophos said attackers had begun using the feature maliciously.
“Since its reveal this week, many attackers are leveraging the trick to deploy remote-access Trojans (RATs),” wrote Sophos researcher Mark Loman in an advisory.
The computer security firm said DDE was being exploited via attachments such as Word or Excel files.
Microsoft said it considers DDE a legitimate feature, and as such it isn’t clear whether the company plans to issue a patch, according to Sophos.
Over the weekend the firm reported it may also be possible ot trigger DDE malware in Outlook via emails or calendar invites formatted with Microsoft Outlook Rich Text Format.
No attachment needed
Doing so means the exploit runs without the user having to open an attachment, Sophos said.
“By putting the code into the email message body itself, the attack comes one step closer, meaning that the social engineering needed to talk a recipient into falling for it becomes easier,” the firm said in a second advisory on Sunday.
The attack isn’t fully automated, however, and still requires tricking users into clicking “Yes” on two successive dialogue boxes. Sophos said it isn’t yet aware of any means of bypassing the dialogue boxes.
The first message reads: “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”
If the user clicks “Yes”, a second message asks the user’s permission to run a command, as follows: “The remote data (k powershell -w hidden -NoP -NoExit -) is not accessible. Do you want to start the application C:\windows\system32\cmd.exe?”
The text in parentheses and the program names referenced at the end varies depending on the code used, Sophos said.
Clicking “No” on either box stops the attack.
Sophos said users can also protect themselves by viewing all emails in plain text.
What do you know about the history of mobile messaging? Find out with our quiz!