Connection Strings

Feature or Flaw? Microsoft Outlook's View Code Might Be Hackable

Sensepost says it has discovered a method for hackers to compromise Microsoft Outlook by way of a Visual Basic-embedded shell. The catch: It requires a feat of social engineering to pull it off.

While the nefarious WannaCry ransomware and DocuSign breach are top-of-mind security issues since they affect so many, there's also this sneaky hack that might have some Outlook developers worried. Security firm Sensepost says it has discovered a method by which a feature of Microsoft Outlook can be used by hackers to run whatever software or apps they want. That discovery was published in this article by Rene Millman on the SC Media UK news site, which links to this Sensepost blog post.

In a nutshell, Millman's piece explains that security researchers at Sensepost discovered what appears to be a hole in an Outlook Forms feature called "View Code – Edit the Visual Basic code for a control" that allows a Visual Basic shell to be embedded from a newly created form. When the form is enabled, it activates the shell, which then can allow a hacker to take over a user's machine. The researchers discovered that the form could still run even with macros disabled in Outlook, since it didn't use the macro script engine but its own VBscript engine.

Millman notes in his article that Microsoft did respond to the hackability claim, essentially saying that Sensepost is misguided to characterize that Outlook feature as vulnerability -- the steps required to execute a hack would require quite a feat of social engineering to compromise passwords and disable security along the way to the end result. Millman's piece is an interesting read, especially as it has responses from independent security researchers on their opinions of this Outlook feature/flaw.

Here are a handful of other more links we've run across that might be useful to you, in no particular order and definitely not conforming to any particular theme:

Andrzej's C++ blog: A serious bug in GCC

MichaelCrump.net: Windows Template Studio Resource Roundup

John Papa: VS Code Function Keys in the MacBook Touchbar

Mono Project: Mono 5.0.0 Release Notes

Scott Hanselman: BUILD 2017 Conference Rollup for .NET Developers

Wu Shuai's Blog: Docker Compose ASP.NET Core to Nano Image with Windows Container

VisualStudioMagazine.com: Serverless C# with Azure Functions: HTTP-Triggered Functions

RCPmag.com: Microsoft's Cloud Growth Putting Pressure on Amazon

ADTmag.com: Xamarin Live Player Eases iOS Development from Windows (But You'll Still Need a Mac)

Redmondmag.com: Microsoft Advises Developers To Stop Using Azure Active Directory Graph

Know of an interesting link, or does your company have a new or updated product or service targeted at Visual Studio developers? Tell me about it at [email protected].

About the Author

Michael Domingo is a long-time software publishing veteran, having started up and managed several developer publications for the Clipper compiler, Microsoft Access, and Visual Basic. He's also managed IT pubs for 1105 Media, including Microsoft Certified Professional Magazine and Virtualization Review before landing his current gig as Visual Studio Magazine Editor in Chief. Besides his publishing life, he's a professional photographer, whose work can be found by Googling domingophoto.

comments powered by Disqus

Featured

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

  • Vibe Coding with Latest Visual Studio Preview

    Microsoft's latest Visual Studio preview facilitates "vibe coding," where developers mainly use GitHub Copilot AI to do all the programming in accordance with spoken or typed instructions.

  • Steve Sanderson Previews AI App Dev: Small Models, Agents and a Blazor Voice Assistant

    Blazor creator Steve Sanderson presented a keynote at the recent NDC London 2025 conference where he previewed the future of .NET application development with smaller AI models and autonomous agents, along with showcasing a new Blazor voice assistant project demonstrating cutting-edge functionality.

Subscribe on YouTube