[12477] in bugtraq
MS Outlook alert : Cuartango Active Setup
daemon@ATHENA.MIT.EDU (Elias Levy)
Mon Nov 8 15:08:36 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <19991108115405.A11777@securityfocus.com>
Date: Mon, 8 Nov 1999 11:54:05 -0800
Reply-To: aleph1@SECURITYFOCUS.COM
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Juan Carlos Garcia Cuartango has found the following security vulnerability
in Microsoft Outlook. This is a highly dangerous issue. It allow a remote
attacker to email an Outlook user an executable which will be run when
the user views the attachment without asking them whether to save it or
execute it. This vulnerability could be used by a virus like Melissa to
propagate itself across the network. Any user that views the attachment
would then become infected. Juan has worked with Microsoft to release
a fix. It should be out today.
I asked Juan to release full details but because of the potential damage
he rather keeps example exploits to himself. That being said there is
enough details here to reverse engineer the vulnerability. If anyone figures
them post to the list.
Quick fix: Disable Javascript in Outlook.
This is BUGTRAQ ID 775. You can view our vulnerability database entry at:
http://www.securityfocus.com/bid/775
Message-ID: <001501bf29d0$db3b5ba0$6480e381@home>
From: "Juan Carlos Garcia Cuartango" <cuartango@teleline.es>
To: <aleph1@securityfocus.com>
Subject: MS Outlook alert : Cuartango Active Setup
Date: Mon, 8 Nov 1999 11:05:57 +0100
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
Hi ,
I believe to have discovered a major security issue affecting the majority of MS e-mail programs :
- Outlook Express 4
- Outlook Express 5
- Outlook 98
- Outlook 2000
The vulnerability allows the execution any program just after opening any mail attachment like MID,WAV,GIF,MOV,TXT, XYZ ...
The hole comes from the fact that Outlook programs will create attached files in the temporary directory ,usually C:\TEMP in Windows NT or C:\WINDOWS\TEMP in Windows 95-98 using the original name of the attached file.
If the detached file is in fact a cabinet file containing a software package any action on the victima machine can be taken using the MS ActiveX component for software installation (Active Setup component).
There is a high risk when the exploit uses files like MID, a "double click" will inmediately open the Multimedia player withuot ask the user about any risk.
I think this is an important issue, the method I have described could be used as a way to widely deploy a virus because few people will suspect about an innocent multimedia attachment (Outlook programs tend to trust Multimedia attachments).
There is a workaround :
Change the temporary directories location defined in the environment variables %TEMP% and %TMP%. Make this variables to point over an unpredictable path. Another workaround would be the traditional one : disable active scripting.
MS was informed about the issue last 12 October . They are supposed to inmediately release a fix.
Regards,
Juan Carlos Garcma Cuartango
----- End forwarded message -----
--
Elias Levy
Security Focus
http://www.securityfocus.com/
