MS Outlook: Text On — Preview Pane Off.
Or You Pays Your
Monies and You Take Your Chances, Pt.1
In its latest Patch-O-Rama of August 13, 2024, Microsoft patched what is called a 0-Click vulnerability in its ever popular email application, Outlook. Borrowing from the term Zero-Day vulnerability, which refers to a novel type of attack for which no patch is yet available, a 0-Click vulnerability, is how PCMag defines this type of attack, "As the name implies, a zero-click cyberattack can compromise a device without any action from its owner." Such was one of the vulnerabilities that Microsoft patched August 13, 2024. Nevertheless, according to Michael Gorelik, the chief technology officer at Morphisec, the cyber security vendor that discovered the vulnerability and reported it to Microsoft, there are similar vulnerabilities in Outlook that have yet to be patched by Microsoft.
In an interview with CSOOnline published August 14, 2024, Gorelik told the publication:
There are at least two more confirmed CVEs that have yet to be patched, (both of) which lead to full NTLM [Network Trust Level Manager] compromise, so the risk is still there.
What makes these known and unknown vulnerabilities so dangerous is that they exploit known risks long associated with the Preview Pane feature of Outlook. Now called the Reading Pane, the Preview Pane is the feature in Outlook that offers a glimpse into the contents of an email without actually clicking on and opening up an email message. As reported by CSOOnline, cited above:
The hole, which Microsoft has dubbed CVE-2024-38173, allows any email malware to be activated without the recipient opening the message, courtesy of Outlook’s popular email preview function.
Simply opening the email will also trigger the attack without clicking on links or attachments to activate its payload. One mitigating factor is that the attacker would need to possess the email credentials of its intended victim. This might offer some cold comfort, though, when considering the extent to which email addresses have been shown to be compromised lately. A Dispatch posted January 22, 2024, discussed the Mother of All Breaches (MOAB). The MOAB is a database of over 26 billion compromised email addresses. This was followed up by a more recent Dispatch of July 13, 2024, that discussed a database of passwords known to have been compromised. So it is not abject paranoia to assume that one's email credentials may not be safe and secure. More proactive measures are now required to be secure.
To thwart the possibility of one befalling a 0-Click Outlook vulnerability is to turn off those features within Outlook that facilitate such attacks. One such feature that clearly expands the attack surface of all Outlook users is the Preview (Reading) Pane feature discussed above. Turning off the Preview or Reading Pane in Outlook is a task I have implored my clients and readers to do for some time now. That the Preview Pane widens one's attack surface has been well known for years. A Dispatch, dated March 10, 2023, discussed the Perils of the Preview Pane; and the posting also offered guidance on how to turn the Preview Pane off. Below is that guidance in a nutshell.
| To Turn of the Reading (Preview) Pane in MS Outlook |
|
1. Click View from the
Outlook Main Menu 2. Click Layout → Mouse Over Reading Pane 3. To turn off the Reading Pane, simply click it Off |
 |
Another landmine preprogrammed into MS Outlook is the default way an email message is displayed as HTML. Way back when, on November 6, 2022, and soon after this blog began its present run, I posted a complete tutorial on how to switch between HTML and text only and then back again to HTML from within Outlook. What needs to be understood is that an email that is in HTML format is essentially a webpage; and therefore is by definition programmable.
The original post was a bit long, but also is a post that I really cannot improve upon. So I suggest you click the hyperlink above to learn more about why it is a good practice to read, or at least open, all email in text only. After verifying the legitimacy of an email, it is easy to convert the message back to HTML. To switch to text only email isn't really difficult, but it does require a few steps. In return for your effort, though, you will be rewarded with the most secure email that you can have.
Making your system as secure as is possible is always tedious, time-consuming, and tiring. On the other hand, dealing with the fallout from a malware attack is far more tedious, time-consuming, and tiring. I report. You decide.
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||