Connection Strings

Feature or Flaw? Microsoft Outlook's View Code Might Be Hackable

Sensepost says it has discovered a method for hackers to compromise Microsoft Outlook by way of a Visual Basic-embedded shell. The catch: It requires a feat of social engineering to pull it off.

While the nefarious WannaCry ransomware and DocuSign breach are top-of-mind security issues since they affect so many, there's also this sneaky hack that might have some Outlook developers worried. Security firm Sensepost says it has discovered a method by which a feature of Microsoft Outlook can be used by hackers to run whatever software or apps they want. That discovery was published in this article by Rene Millman on the SC Media UK news site, which links to this Sensepost blog post.

In a nutshell, Millman's piece explains that security researchers at Sensepost discovered what appears to be a hole in an Outlook Forms feature called "View Code – Edit the Visual Basic code for a control" that allows a Visual Basic shell to be embedded from a newly created form. When the form is enabled, it activates the shell, which then can allow a hacker to take over a user's machine. The researchers discovered that the form could still run even with macros disabled in Outlook, since it didn't use the macro script engine but its own VBscript engine.

Millman notes in his article that Microsoft did respond to the hackability claim, essentially saying that Sensepost is misguided to characterize that Outlook feature as vulnerability -- the steps required to execute a hack would require quite a feat of social engineering to compromise passwords and disable security along the way to the end result. Millman's piece is an interesting read, especially as it has responses from independent security researchers on their opinions of this Outlook feature/flaw.

Here are a handful of other more links we've run across that might be useful to you, in no particular order and definitely not conforming to any particular theme:

Andrzej's C++ blog: A serious bug in GCC

MichaelCrump.net: Windows Template Studio Resource Roundup

John Papa: VS Code Function Keys in the MacBook Touchbar

Mono Project: Mono 5.0.0 Release Notes

Scott Hanselman: BUILD 2017 Conference Rollup for .NET Developers

Wu Shuai's Blog: Docker Compose ASP.NET Core to Nano Image with Windows Container

VisualStudioMagazine.com: Serverless C# with Azure Functions: HTTP-Triggered Functions

RCPmag.com: Microsoft's Cloud Growth Putting Pressure on Amazon

ADTmag.com: Xamarin Live Player Eases iOS Development from Windows (But You'll Still Need a Mac)

Redmondmag.com: Microsoft Advises Developers To Stop Using Azure Active Directory Graph

Know of an interesting link, or does your company have a new or updated product or service targeted at Visual Studio developers? Tell me about it at mdomingo@1105media.com.

About the Author

Michael Domingo is a long-time software publishing veteran, having started up and managed several developer publications for the Clipper compiler, Microsoft Access, and Visual Basic. He's also managed IT pubs for 1105 Media, including Microsoft Certified Professional Magazine and Virtualization Review before landing his current gig as Visual Studio Magazine Editor in Chief. Besides his publishing life, he's a professional photographer, whose work can be found by Googling domingophoto.

comments powered by Disqus
Upcoming Events

.NET Insight

Sign up for our newsletter.

I agree to this site's Privacy Policy.