[12478] in bugtraq
Re: MS Outlook alert : Cuartango Active Setup
daemon@ATHENA.MIT.EDU (David LeBlanc)
Mon Nov 8 16:25:01 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.19991108130423.04a8e600@mail.mindspring.com>
Date: Mon, 8 Nov 1999 13:04:23 -0800
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: aleph1@SECURITYFOCUS.COM, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991108115405.A11777@securityfocus.com>
At 11:54 AM 11/8/99 -0800, Elias Levy wrote:
>Juan Carlos Garcia Cuartango has found the following security vulnerability
>in Microsoft Outlook. This is a highly dangerous issue. It allow a remote
>attacker to email an Outlook user an executable which will be run when
>the user views the attachment without asking them whether to save it or
>execute it.
>Quick fix: Disable Javascript in Outlook.
There's a wrinkle in this one that I think people need to be aware of -
Outlook uses the security zones that IE also uses. By default, everything
runs in the 'Internet Zone', though you can get your mail to run in the
"Untrusted Zone". Even if your mail is currently set to run in the
untrusted zone, any HTML attachments will run in the "Internet Zone". I
have now been running my e-mail client at work using the untrusted zone
(and actually tweaked beyond that) for a couple of months, and have not
noticed any ill effects at all. I also like to view HTML attachments as
pure text to see what is in there, but then I'm fairly paranoid and
recognize that end-users can't be expected to do that.
If you want to make sure you've got all the bases covered, then you need to
disable java script in both zones. I also recommend investigating all
sorts of attachments carefully.
David LeBlanc
dleblanc@mindspring.com
