Concerts, Exotic Cars, News & Photos by Vincent Banial
Opening an email using Outlook could let someone steal your Windows Login Password
You receive an email from what seems like a legitimate source. By openiing that email using Microsoft Outlook, you could be allowing a Hacker to gain your Windows Login Password.
If the received email contains say a UNC web link starting with \\, clicking on the link will start a SMB connection and the username and password hash data can be transferred without the users knowledge.
This is because Microsoft Outlook allows documents to contain embedded parts within a document. Microsoft allows the use of Rich Text Format (RTF) and Object Linking and Embedding (OLE). That can be exploited to get Outlook to “automatically” open an SMB connection to a remote SMB Server.
The above Microsoft fix does address the “Automatic” opening of an SMB connection to a remote SMB Server. But, the user viewing said document can still click on a link embedded (via OLE) within the document and that will then initiate an SMB connection.
To check if your Windows systems has the update installed goto Settings → Update & Security → Windows Update → Check for updates. The updates can be set to install automatically or you can manual get them installed., or you can install the updates.
The Microsoft Apr 10 Security update does not address the end user clicking on a link. To elminate an SMB session being established after an OLE Link has been clicked you need to block certain ports for incoming and outgoing SMB sessions. Block TCP/IP port 445 and port 137 and port 139. In addition, you need to block UDP port 137 and UDP port 139. That way no inbound or outbound SMB connections will be started.
You should also add a Windows Registry DWORD32 key named “EnterpriseAccountSSO” and then set that key to a value of “0”. How to do that is detailed below.