Check Point Threat Alert: Outlook OLE Vulnerability

Object Linking and Embedding (OLE), developed by Microsoft, allows users to embed and link to documents and other objects. However, a Remote-Command-Execution vulnerability was found in Microsoft Office that allows remote attackers to execute arbitrary code via a crafted email message processed by Outlook.

Microsoft Outlook has a sandbox bypass vulnerability which allows an attacker to bypass Outlook’s security layers and exploit Office’s OLE capabilities. A remote attacker can send a victim an e-mail containing a specially crafted attachment. This attachment may embed an OLE object that leverages a second vulnerability in other registered OLE software. The vulnerability was found by security researcher Haifei Li, who disclosed it to Microsoft. It was addressed in December 2015 Microsoft Security Bulletin MS15-131 (CVE-2015-6172).

Check Point released an IPS protection to help customers defend against such attacks until they can patch their Microsoft Office systems.

Check Point IPS Protection

Check Point protects its customers from attacks targeting this vulnerability with the following IPS protection, which was released on December 24, 2015:

• Microsoft Outlook Embedded OLE Object (MS-15-131; CVE-2015-6172)
  Note: This protection is a generic mitigation for this attack, as it blocks any mail attachment with embedded OLE objects. Therefore, the protection is not part of the recommended profile, and manual activation is required by customers who wish to use it.

References

• OLE Objects: https://en.wikipedia.org/wiki/Object_Linking_and_Embedding
• Related CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6172
• Check Point IPS protection: http://www.checkpoint.com/defense/advisories/public/2015/cpai-2015-1336.html
• Technical description: http://arstechnica.com/security/2015/12/outlook-letterbomb-exploit-could-auto-open-attacks-in-e-mail/