BadWinMail Exploit

Slipstick Systems

Outlook › BadWinMail Exploit

Last reviewed on February 14, 2018     2 Comments

There are two newly discovered (and patched) in Outlook. The first is a remote code exploit and unlike many remote code vulnerabilities, which require the user to do something, like go to a web site or open a file, th RTF/TNEF security issue runs when a targeted person opens a message. The exploit is packed in an winmail.dat file and when Outlook renders the winmail.dat, the code runs. The second exploit uses OLE objects embedded in messages which are attached to other email messages.

If you haven't already installed the Security Update for Microsoft Office to Address Remote Code Execution (3116111), which was released on December 8 2015, you should do so as soon as possible. If you are unable to install the update, read mail in plain text or use a macro to convert RTF messages to plain text as they arrive.

It's also possible to set a registry key to prevent Outlook from loading Flash content.

HKEY_LOCAL_MACHINE\​SOFTWARE\​Microsoft\​Office\​Common\​COM Compatibility\​{D27CDB6E-AE6D-11cf-96B8-444553540000}
DWORD: Compatibility Flags
Value: 00000400

As always, user accounts with fewer user rights on the system could be less impacted than those who operate with administrative user rights.

For more information about this exploit, see https://sites.google.com/site/zerodayresearch/BadWinmail.pdf
A demo is available on YouTube

OLE Exploit

The OLE exploit is detailed here: #OLEOutlook - bypass almost every Corporate security control with a point’n’click GUI.

To mitigate this issue (and any new ones that crop up) you can configure Outlook to hide OLE attachments using group policy or setting a registry key.

Outlook 2016

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\security
DWORD: ShowOLEPackageObj
Value: 0

Outlook 2013

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Outlook\security
DWORD: ShowOLEPackageObj
Value: 0

Outlook 2010

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0\Outlook\security
DWORD: ShowOLEPackageObj
Value: 0

Outlook 2007

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\security
DWORD: ShowOLEPackageObj
Value: 0

About Diane Poremsky

A Microsoft Outlook Most Valuable Professional (MVP) since 1999, Diane is the author of several books, including Outlook 2013 Absolute Beginners Book. She also created video training CDs and online training classes for Microsoft Outlook. You can find her helping people online in Outlook Forums as well as in the Microsoft Answers and TechNet forums.

Subscribe
Notify of
2 Comments
newest
oldest most voted
Inline Feedbacks
View all comments

Wow,
Thank you for the information. Perhaps you should create an "Outlook Hardening" article. I just want to use it to read email!

1
-1
Reply

Good idea. :)

Most users are at low risk from these kinds of exploits but it just takes one silly mistake...

2
-2
Reply

Mail Tools

Calendar Tools

Productivity

Help & Suggestions

Visit Slipstick Forums.

What's New at Slipstick.com

Home | Outlook User | Exchange Administrator | Office 365 | Outlook.com | Outlook Developer
Outlook for Mac | Common Problems | Utilities & Addins | Tutorials
Outlook & iCloud Issues | Outlook Apps
EMO Archives | About Slipstick | Slipstick Forums
Submit New or Updated Outlook and Exchange Server Utilities

Send comments using our Feedback page
Copyright © 2025 Slipstick Systems. All rights reserved.
Slipstick Systems is not affiliated with Microsoft Corporation.