Microsoft Outlook Mail Server Nasty Bug

## FULL DISCLOSURE

#Exploit Author : Rahul Pratap Singh
#Home page Link : http://www.outlook.com
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 12/11/2016

—————————————-
Description:
—————————————-
Microsoft Outlook Mail Server was not able to handle image of 1×1 pixel and behaving aberrantly.

—————————————-
Impact:
—————————————-
Send an email from an outlook email id to another outlook user. It will flood the inbox within 24hrs i.e approx. 2400 emails will get received by the user.

—————————————-
POC:
—————————————-

Vulnerability Disclosure Timeline:
→ April 09, 2015  – Bug discovered, initial report to Microsoft Security Team.
→ April 10, 2015  – Response from Microsoft, report sent for investigation.
→ April 11, 2015  – Response from Microsoft, Problem in reproducing the issue.
→ April 14, 2015  – POC video is sent.
→ April 14, 2015  – Response from Microsoft, poc video sent to analyst for investigation.
→ April 15, 2015  – Response from Microsoft, a case number is assigned to this report.
→ June 06, 2015  – Response from Microsoft, a patch has been deployed, and Hall of Fame awarded.
→ March 11, 2016  – Bug still exist, Sent report again to Microsoft Security Team.
→ March 11, 2016  – Response from Microsoft, a case number is assigned to this report.
→ May 11, 2016  – Response from Microsoft, a patch has been deployed, and Hall of Fame awarded.
→ Sept 13, 2016  – Bug still exist, Sent report again to Microsoft Security Team.
→ Sept 14, 2016  – Response from Microsoft, this is an old issue which I reported. He suggested sending an email on that specific case thread to let the case manager know.
→ Sept 14, 2016  – Told MSRC, when I found this bug (2015), and How it was handled by different MSRC’s, and still bug exist. Submitting this report 3rd time.
→ Sept 15, 2016  – Response from Microsoft, little appreciation. Report sent to MSRC enginner to review.
→ Sept 15, 2016  – Response from Microsoft, Problem in reproducing the issue.
→ Sept 15, 2016  – New POC video is sent.
→ Nov 11, 2016  – Response from Microsoft, a patch has been deployed, and Hall of Fame awarded.
→ Nov 12, 2016  – Full Disclosure

Advertisements

4 thoughts on “Microsoft Outlook Mail Server Nasty Bug

  1. Pingback: Full Disclosure: Outlook.com unable to handle 1×1 pixel. – sec.uno

  2. Pingback: 【知识】11月17日 - 每日安全知识热点 - 莹莹之色

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s