Outlook on the web bans a further 38 file types

Credit to Author: John E Dunn| Date: Mon, 30 Sep 2019 11:56:21 +0000

News for Outlook on the web users who regularly email attachments: Microsoft is about to put another 38 file extensions on its too risky to receive blocklist.

Once there – implemented through Outlook’s BlockedFileTypes filter – Outlook for the web recipients will no longer be able to receive attachments using these extensions.

Microsoft already restricts 104 file extensions and, in truth, the 38 added to this list aren’t ones most Outlook for the web users will have need to send often, assuming they’ve heard of some of them at all.

The better-known extensions on the latest list are:

Python.py, .pyc, .pyo, .pyw, .pyz, .pyzw

PowerShell.ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .psd1, .psdm1, .cdxml, .pssc

Java.jar, .jnlp

Digital certificates.cer, .crt, .der

And some less well-known ones:

Windows ClickOnce.appref-ms

Microsoft Data Access Components (MDAC).udl

Windows sandbox.wsb

Vulnerable legacy applications.appcontent-ms, .settingcontent-ms, .cnt, .hpj, .website, .webpnp, .mcf, .printerexport, .pl, .theme, .vbp, .xbap, .xll, .xnk, .msu, .diagcab, .grp

The reason for the move is security.  Attachments, including obscure ones, have long been a popular technique for sneaking malware past inbox security checks when widely used extensions such .docx and .pdf became too obvious.

Outlook’s 142-strong blocklist opens even more clear water between itself and Google whose current Gmail GSuite blocklist contains only the following 44 extensions:

.ade, .adp, .apk, .appx, .appxbundle, .bat, .cab, .chm, .cmd, .com, .cpl, .dll, .dmg, .exe, .hta, .ins, .isp, .iso, .jar, .js, .jse, .lib, .lnk, .mde, .msc, .msi, .msix, .msixbundle, .msp, .mst, .nsh, .pif, .ps1, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh

The restriction on Java .js and .jse having been implemented as recently as February 2017.

Bypassing blocking

What happens if there is a genuine need to receive files with a banned extension?

Assuming the sender and recipient aren’t able to use a different email system, the easiest way is for Office 365, Exchange Server, or Exchange Online admins to allowlist specific extensions.

In a strange anomaly, one file extension not on the blocklist is .ace, a compressed WinRAR file format which earlier this year was discovered to have a 19-year-old flaw (CVE-2018-20250) cybercriminals had started exploiting.

Although not discovered by Microsoft, the company was prominent in warning users about the threat posed by malicious files using this file extension.

It’s true that admins can configure Exchange/Outlook to this extension, but wouldn’t it have been easier to do it by default?

http://feeds.feedburner.com/NakedSecurity

Leave a Reply