Security researcher Lubomir Stroetmanns of softScheck has identified a Denial of Service vulnerability in Microsoft Outlook 2007, 2010 and 2013 running on Windows operating system and Microsoft Outlook 2011 for MAC.  Lubomir says that though he has advised Microsoft of the vulnerability, Microsoft has acknowledged the vulnerability,  a patch has not yet been released.
Flaw detected in Microsoft Outlook 2007-2013 for Windows and Mac which allows a Billion laughs attack

Lubomir said that though the flaw was a medium risk one but a potential attacker can use it for a Denial of Service attack.  To execute the flaw,  a remote attacker can send a plain text email containing an XML bomb as the message body, causing Outlook to freeze while opening the email. This forces the user to terminate the Outlook process. In the default Outlook configuration, in which email contents are displayed in a reading pane in the main window, the impact is more severe: Outlook will freeze while starting and will not be able to start anymore, since it tries to open and display the email during startup.   A XML bomb is also known as a Billion laughs.  The Billion laughs  An XML bomb consists of a valid XML Document Type Definition (DTD) containing several nested entities, each referencing the preceding one. When the email is opened, Outlook freezes while trying to expand all nested entities in memory, which causes the Outlook process to steadily increase in RAM usage. This type of attack has been reported as early as 2003 and was covered in-depth in 2009 in a Microsoft report. After finishing the expansion, Outlook eventually returns to a stable state that is why Lubomir has marked this as a medium risk flaw. However once the XML bomb as been received by the user, the Outlook can take days and due to the exponential growth of the task it can be expanded to take even longer by adding further nesting. 

Lubomir says the only way to resolve the issue, you have restart the Windows PC in safe mode and open Outlook.  Once you open the Outlook, you have to delete the message which contains the XML bomb. 

Lubomir adds that changing the Outlook security setting “Read all standard mail in plain text” is not an effective protection against this vulnerability and Outlook will still freeze when opening the email.  Lubomir says that this flaw can also affect other Office applications as they use the same Office XML format parser (e.g. pasting an XML bomb into a Microsoft Word document).

The attack is documented publicly and easy to exploit. The overall impact is low.

2014-02-26 Contacted Microsoft Security Response Center
2014-02-28 Contacted CERT/CC
2014-03-20 Contacted Microsoft Germany
2014-04-03 Public release of advisory

Resource : CX Security


Please enter your comment!
Please enter your name here