The 2016 Pwnie Nominee For Best Client-Side Bug

MS15-131 Microsoft Office RCE Vulnerability (BadWinmail) (CVE-2015-6172)

Credit: Haifei Li

You know those annoying ‘winmail.dat’ attachments that you get from your poor friends and colleagues still stuck using Outlook? Haifei Li discovered that you can drop OLE objects in them and Outlook will happily load and run them. Haifei demonstrated this as a vector to exploit Adobe Flash vulnerabilities when your target simply previews or reads the e-mail. Microsoft’s description, however, makes it seem like you can just skip the Flash 0day and get your RCE immediately. That’d make it Super-Duper-BadWinmail.

MS15-131 Microsoft Office RCE Vulnerability (BadWinmail) 

(CVE-2015-6172)