Microsoft passes 130 security fixes for 2015 with final Patch Tuesday

FrozenCursor · 09 Dec 2015

hTconeM9user said:

Another fix Kandek said IT admins should focus on is MS15-131, which covers an issue within Microsoft Office and is rated as critical.

"CVE-2015-6172 is a critical vulnerability in Outlook that is triggered by a maliciously formatted email message," he said.

"There is no reasonable workaround: Microsoft suggests turning off the preview pane - the digital equivalent of 'Just don’t do it', so patch this vulnerability as soon as possible."

Hm...is the above quote not ambiguous? Both 'fix' and 'workaround' have been used.

Has the Outlook issue been fixed with yesterday's patch or not? I hope that the Outlook issue has been fixed as the suggested workaround is quite inconvenient

How does a 'maliciously formatted email message' look like?

See also the quote below from https://technet.microsoft.com/en-us/.../ms15-131.aspx

Microsoft Office RCE Vulnerability – CVE-2015-6172

A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted email messages. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user and take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, the user must open or preview a specially crafted email message with an affected version of Microsoft Outlook. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email message to the user and then convincing the user to preview or open the email.

Workstations and terminal servers on which Microsoft Outlook is install are at risk of this vulnerability. Servers could be more at risk if administrators allow users to log on to them to run programs. However, best practices strongly discourage allowing this. The update addresses the vulnerability by correcting how Microsoft Outlook parses specially crafted malicious email messages.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. At the time this security bulletin was originally issued, Microsoft was unaware of any attack attempting to exploit this vulnerability.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

The following workarounds may be helpful in your situation:

Disable previewing messages in Outlook
- On the View menu, point to Message Preview, click Off and then confirm that all mailboxes are disabled.
How to undo the workaround.
- On the View menu, point to Message Preview, and then click On.
Disable reading Outlook email messages in HTML
1. Click the File tab.
2. Click Options.
3. Click Trust Center, and then click Trust Center Settings.
4. Click Email Security.
5. Under Read as Plain Text, select the Read all standard mail in plain text checkbox.
How to undo the workaround.
1. Click the File tab.
2. Click Options.
3. Click Trust Center, and then click Trust Center Settings.
4. Click Email Security.
5. Under Read as Plain Text, select Read all standard mail in plain text.