Microsoft fixes Outlook URL formatting bypass
Microsoft has closed the seams of its patch of an Outlook 2020 vulnerability after a workaround was discovered, according to the researcher who found both the original vulnerability and its workaround.
The original vulnerability, CVE-2020-0696, was discovered by Reegun Richard Jayapaul, then of Resecurity and now of Trustwave SpiderLabs. In it, if an attacker wrote a legitimate URL in an email and set the link to a second malformed, malicious URL, they would evade Microsoft’s Safelink malicious link detection.
These malformed links could be formatted by replacing “HTTP://” with a number of patterns, including “file://” or “//”. Safelink would not flag the malformed link as a website requiring verification, but would still automatically correct the malformed URL so that it linked to the intended address.
Microsoft fixed CVE-2020-0696 in 2020.
Due to “curiosity and free time during the pandemic” (according to Jayapaul’s colleague Karl Sigler, senior director of research at SpiderLabs), Jayapaul recently revisited the vulnerability. He found a new pattern that escaped detection – replacing “HTTP://” with “HTTP:/://”.
Sigler praised Microsoft’s response to Trustwave’s disclosure.
“Microsoft was responsive and quickly tracked both the original issue and the secondary workaround,” he said.
Circumvention is another reminder of the timeless wisdom of email, Sigler said.
“Don’t click on links in emails unless you know exactly where it leads,” he said.