{"id":10868,"date":"2015-12-17T09:00:46","date_gmt":"2015-12-17T14:00:46","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=10868"},"modified":"2020-02-27T04:00:24","modified_gmt":"2020-02-26T17:00:24","slug":"bad-badwinmail","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/bad-badwinmail\/10868\/","title":{"rendered":"How your PC can be infected with just one email you didn&#8217;t actually read"},"content":{"rendered":"<p>We\u2019ve told you this time and time again: never click suspicious links, never open files received from unknown sources, always delete mail from untrusted senders. While all of these pieces of advices are good, they can\u2019t help you if you\u2019re using Outlook as those precautions won\u2019t protect you from the BadWinmail vulnerability. You don\u2019t need to click or open anything to become infected. You just receive one email \u2013 and that\u2019s it. In fact, you don\u2019t even need to open this email.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/12\/06023444\/badwinmail-FB.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/12\/06023444\/badwinmail-FB.jpg\" alt=\"How your PC can be infected with just one email you didn't actually read\" width=\"1280\" height=\"1280\" class=\"aligncenter size-full wp-image-10872\"><\/a><\/p>\n<h3>How\u2019s that possible?<\/h3>\n<p>If you\u2019re familiar with Microsoft Office, you probably know that objects can be embedded in MS Office files. Not any objects, but the list is quite long. This is called OLE technology, or Object Linking and Embedding.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Logo for <a href=\"https:\/\/twitter.com\/hashtag\/BadWinMail?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#BadWinMail<\/a> ? <a href=\"https:\/\/t.co\/gP45Iq3ShE\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/gP45Iq3ShE<\/a><\/p>\n<p>\u2014 Erlend Oftedal (@webtonull) <a href=\"https:\/\/twitter.com\/webtonull\/status\/677109696789143552?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 16, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>It turned out, that this technology works not only in DOC, XLS and so on, but in Outlook email as well. It also turned out, that the above mentioned objects list besides generic MS Office stuff, includes such cool things as Adobe Flash objects.<\/p>\n<p>Do you know why cybercriminals love Flash so much? Because there are <a href=\"https:\/\/threatpost.com\/massive-adobe-flash-update-patches-79-vulnerabilities\/115598\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">lots of vulnerabilities in Flash<\/a>. Some of these bugs are zero-days, which means they\u2019re unpatched. These vulnerabilities can be exploited to do some things to your PC you <a href=\"https:\/\/www.kaspersky.com.au\/blog\/exploits-problem-explanation\/9448\/\" target=\"_blank\" rel=\"noopener noreferrer\">definitely won\u2019t like<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Adobe Patches 23 Critical Vulnerabilities in Flash Player: <a href=\"https:\/\/t.co\/ON2iKYKk5f\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/ON2iKYKk5f<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/29dRbc5KTI\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/29dRbc5KTI<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/646012750804709376?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 21, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>It is a well known issue, and in order to fight it, most developers do the same simple thing: they allow Flash content to be run in their software (for example, browsers) only in so-called \u2018sandboxes\u2019. Malicious code can do anything inside these sandboxes, even start some fancy cyber-apocalypse.<\/p>\n<p>But the idea is, that it can\u2019t escape the sandbox and thus won\u2019t affect anything outside it, so your files won\u2019t be corrupted. Well, at least it is designed to be like that \u2014 sometimes this trick doesn\u2019t work, but that is another story for another day. It is definitely not the case here.<\/p>\n<p>If you\u2019re waiting for the third \u2018it turned out,\u2019 here you go. It turned out, that Outlook doesn\u2019t use these type of sandboxes trick for potentially dangerous objects and runs everything in normal mode. It means that malicious code in embedded objects can act like any other software you installed on your PC.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>What is #BadWinmail vulnerability and why it is really bad<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FZb63&amp;text=What+is+%23BadWinmail+vulnerability+and+why+it+is+really+bad\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>The problem does not end with those three tidbits of bad news. Outlook is so obliging that it opens the newest email before you do it. Thus if malicious email with BadWinmail exploit attached is the newest in your Inbox, it is executed immediately when you start the Outlook.<\/p>\n<p><a href=\"https:\/\/twitter.com\/haifeili\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Haifei Li<\/a>, security researcher who has discovered the bug, created proof of concept of a possible attack exploiting the BadWinmail vulnerability, as he called it. He describes it in surprisingly simple words <a href=\"https:\/\/sites.google.com\/site\/zerodayresearch\/BadWinmail.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">in his research<\/a>.<\/p>\n<p>He even created this relatively short video, which perfectly explains the core idea of how this vulnerability actually works:<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"sv\" dir=\"ltr\">Special Report: <a href=\"https:\/\/twitter.com\/hashtag\/BadWinmail?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#BadWinmail<\/a> \u2013 The \"Enterprise Killer\" Attack Vector in <a href=\"https:\/\/twitter.com\/hashtag\/Microsoft?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Microsoft<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Outlook?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Outlook<\/a><a href=\"https:\/\/t.co\/pOTNIh6bQs\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/pOTNIh6bQs<\/a>. <a href=\"https:\/\/t.co\/BaDEBZXCSm\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/BaDEBZXCSm<\/a>.<\/p>\n<p>\u2014 Haifei Li (@HaifeiLi) <a href=\"https:\/\/twitter.com\/HaifeiLi\/status\/676794079410192385?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 15, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>To understand why it is really bad, just imagine some bad guy who instead of opening harmless Calculator app runs <a href=\"https:\/\/www.kaspersky.com.au\/blog\/ransomware-10-tips\/10673\/\" target=\"_blank\" rel=\"noopener noreferrer\">ransomware<\/a> on your PC.<\/p>\n<p>The good news is Haifei Li had reported this bug to Microsoft and the company fixed this issue on December 8. The bad news is, people who are not used to updating their software quickly still have this vulnerability. And many of them will have it for weeks, months, or even years.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/IT?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#IT<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Tip?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Tip<\/a> Disable the \u201cremind me later\u201d button to ensure critical updates installed <a href=\"https:\/\/t.co\/jVKXcJ1vWm\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/jVKXcJ1vWm<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"https:\/\/t.co\/KNnlnjk0Ej\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/KNnlnjk0Ej<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/662060641071579136?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 5, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Since the report was published openly, lots of cyber-criminals will definitely try to use this vulnerability to infect thousands or even millions of PCs through this. And if you have ever wondered, <a href=\"https:\/\/www.kaspersky.com.au\/blog\/why-bother-with-software-updates\/6863\/\" target=\"_blank\" rel=\"noopener noreferrer\">is it really so important to always update all your software immediately<\/a> and to use <a href=\"https:\/\/www.kaspersky.com\/advert\/multi-device-security?redef=1&amp;THRU&amp;reseller=gl_KDpost_pro_ona_smm__onl_b2c_kasperskydaily_lnk____kismd___\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">security software<\/a>, I guess, now you have new good reasons to answer this question in the affirmative.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Did you know that your PC can become infected by an email that you never actually read?<\/p>\n","protected":false},"author":421,"featured_media":10871,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2647,2646],"tags":[1343,389,958,38,1285,268,1342,1340],"class_list":{"0":"post-10868","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-special-projects","9":"category-threats","10":"tag-0days","11":"tag-adobe","12":"tag-flash","13":"tag-microsoft","14":"tag-outlook","15":"tag-vulnerabilities","16":"tag-winmail","17":"tag-worms"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/bad-badwinmail\/10868\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/bad-badwinmail\/5230\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/bad-badwinmail\/6436\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/bad-badwinmail\/6889\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/bad-badwinmail\/6477\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/bad-badwinmail\/7397\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/bad-badwinmail\/7088\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/bad-badwinmail\/10247\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/bad-badwinmail\/10868\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/bad-badwinmail\/9879\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/bad-badwinmail\/10247\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/bad-badwinmail\/10868\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/0days\/","name":"0days"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/10868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=10868"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/10868\/revisions"}],"predecessor-version":[{"id":26802,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/10868\/revisions\/26802"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/10871"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=10868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=10868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=10868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}