Brutkey

cR0w
@cR0w@infosec.exchange

@reverseics@infosec.exchange I guess their thought is that a user leaves Outlook open and is sent a malicious email and it automatically pops up in the preview pane, they didn't have to interact with it and the attacker didn't need privs to send the email. Just guessing at the logic there.

K. Reid Wightman :verified: 🌻 :donor: :clippy:
@reverseics@infosec.exchange

@cR0w@infosec.exchange Yeah. I seem to remember some supernerd friends having this argument about email a long time ago. Whether it's considered AV:N and UI:R or not.

I say 'yes' to both because the CVSS specification says that UI includes a "user-initiated process".

By default, Outlook does not start on a computer until the user at minimum logs in to the computer (usually they have to start Outlook manually to boot), which initiate the process.

Reading the CVSS spec is hard though, let's go shopping.

cR0w
@cR0w@infosec.exchange

@reverseics@infosec.exchange I agree with your take. Luckily, the nuance is handled by analysts who are capable of thinking and not by just the scores, right?

Oh.

K. Reid Wightman :verified: 🌻 :donor: :clippy:
@reverseics@infosec.exchange

@cR0w@infosec.exchange You could actually argue this is: AV:N/AC:H/UI:R, high attack complexity because the default configuration of Outlook has no accounts attached and thus does not actually check any email from any server; triggering the vulnerability therefore requires a nonstandard configuration.

CVSS pedantry? In this economy?