Tuesday, December 16, 2014

Microsoft Outlook 2013 paste HTML mechanism reveals the clipboard contents

We all use Outlook. If I need to guess, Outlook is the most popular mail client in the world. It has been discovered reticently, that Outlook 2013 has a way to expose the contents in the user's clipboard

From time to time we copy really sensitive stuff like SSN, Passwords, Credit Card Numbers , Bank account numbers
Sometimes, it is even personal secrets which tend to be much more sensitive than the information above.

Attacker,who has an access to the victim's display, may lure the user to paste HTML into new email using Microsoft Outlook 2013 which may lead to the clipboard contents exposure of sensitive information as shown in the attached video.

Tested on Outlook Enterprize 2013 64 bit fully patched
Outlook used HTML mode
Outlook.exe : 15.0.4667.100  Created ‎15 ‎October ‎2014, ‏‎00:27:50

Browser versions:
Chrome 39.0.2171.95 m
Firefox 33.1.1
Opera 26.0

I have sent the report to Microsoft's Security Response Center, and got a very quick response:

Thanks for contacting the Microsoft Security Response Center (MSRC).

As this attack relies on social engineering, Microsoft does not consider it to be a Security Vulnerability. We have investigated your report and concluded that we do not consider it to be a security vulnerability.  That decision is final, and we consider this report to be closed.