[20033] in bugtraq
Re: Incorrect MIME Header Can Cause IE to Execute E-mail
daemon@ATHENA.MIT.EDU (ziss)
Thu Apr 5 01:48:46 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <001101c0bdb0$a3429f40$010a0a0a@athlon>
Date: Wed, 4 Apr 2001 21:12:51 -1200
Reply-To: ziss <ziss@PHREAKER.NET>
From: ziss <ziss@PHREAKER.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
On Fri, 30 Mar 2001, Juan Carlos Garcia Cuartango wrote:
> Hi, Microsoft has released a security bulletin
> http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
> entitled "Incorrect MIME Header Can Cause IE to Execute E-mail
> Attachment". EML files are MIME multipart files that IE 5 will parse.
> There is a vulnerability allowing arbitrary code execution using this
> kind of files. This vulnerabiliy could allow an hostile page or e-mail
> to perform any action on your computer. The vulnerability affects IE
> 5, IE 5.5 over all windows platforms. I have prepared some demos about
> the vulnerability in www.kriptopolis.com (major spanish security site)
> : http://www.kriptopolis.com/cua/eml.html Note : It you want to have a
> look to the hostile EML files you must click the right mouse button
> over the pictures and select the "Save Target As" menu option.
> Regards, Juan Carlos G. Cuartango
Hi,
Firstly, following the link above Cuartango has said "If you are using
Windows Media Player 7 the demo will not work" this is incorrect, testing
with IE 5.0 on Windows 2000 with Windows Media Player 7 (7.00.00.1956) the
EML files download and launch automatically causing the specified code to
execute.
Secondly, the file extention .NWS (OE News File) will achieve the same
result as a .EML file. So if you're filtering for these at your mail/proxy
server you might want to block these also. Like the .EML files these also
execute upon 'selecting' in windows explorer because of the preview
function.
ziss.
