Now Reading
Microsoft denies that Outlook is vulnerable to any password stealing malware

Microsoft denies that Outlook is vulnerable to any password stealing malware

by AshwinOctober 9, 2015

Well, I have to say it. This has not been a good month for Microsoft’s email service, Outlook.

Outlook Web App

A few days ago, we reported that several of the company’s services leaked the personal information of users.

The issue was that the websites displayed the account id of the user logged in, directly in the address bar of the web browser, and that too in plain text, thus allowing literally anyone to view the account’s display name, the profile picture, and account created information.

And then there was the issue with Mac OS X, when Apple released its latest version of the operating system, El Capitan. It was found that the OS suffered from a bug which affected Microsoft Office 2011 users.

The issue prevented the Outlook 2011 app from syncing the mail on the Mac machines. Though that bug was fixed in yesterday’s update, from the Redmond based company, some unconfirmed reports emerged online, claiming that a new security flaw has been found in Outlook’s services.

Only this time it is not the standalone Outlook or Mail apps which are the victims, rather it is the Outlook Web Access app itself. The web client was reported to have a security vulnerability, which could allow attackers to steal the passwords of users, over a period of time. The reports even went on to claim, the issue is so critical, that it can steal the credentials of an organization’s users through a malicious DLL which contained a backdoor, which fed the login credentials back to the hackers.

Microsoft however has dismissed the reports and says that there is in fact no new security vulnerability in the Outlook Web Access, at all.  The Redmond company says that it conducted a research and its investigation found the report to be false, and that an attack will not affect a properly set up OWA server.

In a statement posted at the Technet blogs, Microsoft’s Exchange Team says that the reported “attack” is only possible, when a person with administrator access to a server or an Exhcnge Server could actually put the whole process into action.

It even goes on to say such attacks cam easily be prevented simply by using the latest security measures, i.e., by ensuring that companies use the newest products, services and also by employing modern security measures in place.

In other words, Microsoft says that such an attack on a OWA server could only be initiated by someone well aware of the security systems in place, and with full access to the servers, i.e., an insider.