[23409] in bugtraq
Microsoft's Outlook Express 6 "E-mail attachment security" Flawed
daemon@ATHENA.MIT.EDU (Arie Slob)
Wed Dec 5 18:31:33 2001
Message-ID: <00b601c17d1d$d42172d0$0100000a@WinXPPro>
Reply-To: "Arie Slob" <arie@infinisource.com>
From: "Arie Slob" <arie@infinisource.com>
To: <bugtraq@securityfocus.com>
Date: Wed, 5 Dec 2001 00:46:00 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00B4_01C17D26.357DF140"
------=_NextPart_000_00B4_01C17D26.357DF140
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Hi,
I was contacted by David McSpadden, a Network Administrator from the =
Indiana Members Credit Union who pointed out the following:
---------------------------
=20
I was wondering if you could replicate something I have found.
I set up attachment blocking as per (Q291387) on my Windows 2000 =
Professional Sp2 workstation for testing. Thinking we might implement =
this as policy on all of our workstations with Outlook Express 6.0. It =
did correctly block the attachments of the extensions I specified. =
However, if I simply try and forward the email the 'blocked' item =
appears and I can then save or open the attachment. This creates a =
dilema. Why should I even try and stop the attachments if I can get to =
them anyway.
=20
Please let me know if I am crazy or if I have found another hole in =
Outlook Express.
---------------------------
Well, I think he's right. I tested it on XP, set OE to block =
attachments.... that works... until you press FORWARD.... then you have =
full access...........
I contacted Microsoft (secure@microsoft.com) who wrote back with the =
attached email.
I have published and article on our Web site about this:
http://www.windows-help.net/microsoft/oe6-attach.html
Regards,
Arie Slob,
VP Information Systems
InfiniSource, Inc.
<arie@infinisource.com>
------=_NextPart_000_00B4_01C17D26.357DF140
Content-Type: message/rfc822;
name="RE_ Microsoft's Outlook Express 6 _E-mail attachment security_ Flawed (tb).eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="RE_ Microsoft's Outlook Express 6 _E-mail attachment security_ Flawed (tb).eml"
Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124])
by linux748.dn.net (8.9.3/(dn/norelay)) with ESMTP id RAA15783
for <arie@infinisource.com>; Tue, 4 Dec 2001 17:00:19 -0500
Received: from INET-VRS-02.redmond.corp.microsoft.com ([157.54.8.110]) by mail2.microsoft.com with Microsoft SMTPSVC(5.0.2195.2966);
Tue, 4 Dec 2001 14:00:21 -0800
Received: from 157.54.6.197 by INET-VRS-02.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Tue, 04 Dec 2001 14:00:20 -0800
Received: from red-msg-18.redmond.corp.microsoft.com ([157.54.4.138]) by inet-hub-06.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2966);
Tue, 4 Dec 2001 14:00:21 -0800
X-Mimeole: Produced By Microsoft Exchange V6.0.5762.3
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="------------InterScan_NT_MIME_Boundary"
Subject: RE: Microsoft's Outlook Express 6 "E-mail attachment security" Flawed (tb)
Date: Tue, 4 Dec 2001 14:00:20 -0800
Message-ID: <949915AAAC8CED4B823E2B1BBD0B3E7FDCC5E0@red-msg-18.redmond.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Microsoft's Outlook Express 6 "E-mail attachment security" Flawed (tb)
Thread-Index: AcF9BNmuBYnvOp/2QFq4nk2EIPB+mAACC/fg
From: "Microsoft Security Response Center" <secure@microsoft.com>
To: "Arie Slob" <arie@infinisource.com>
Cc: "Microsoft Security Response Center" <secure@microsoft.com>
X-OriginalArrivalTime: 04 Dec 2001 22:00:21.0135 (UTC) FILETIME=[114D61F0:01C17D0F]
X-UIDL: WQP"!398"!BMA"!^2o"!
This is a multi-part message in MIME format.
--------------InterScan_NT_MIME_Boundary
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C17D0F.10E7002E"
------_=_NextPart_001_01C17D0F.10E7002E
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Dear Arie
=20
Thank you for taking the time to email us. The capability to forward an
email with an attachment is a feature in Outlook Express that is
by-design. As you mention, Outlook Express does allow the blocking of
unsafe attachments.
=20
It looks like Outlook Express successfully blocked the attachment in the
Inbox for David McSpadden.
=20
It is important for users to recognize that greyed-out attachments are
not safe to be opened and, users should be deleting, not forwarding an
email with a greyed-out attachment.
=20
Many thanks again for taking the time to email us.
=20
secure@microsoft.com
=20
=20
=20
-----Original Message-----
From: Arie Slob [mailto:arie@infinisource.com]=20
Sent: Tuesday, December 04, 2001 12:46 PM
To: Microsoft Security Response Center
Subject: Microsoft's Outlook Express 6 "E-mail attachment security"
Flawed=20
=20
Hi,
=20
Although this isn't anything fancy, I thought you'd like to know.
=20
OE6 allows for a setting on the Security tab (Tools > Options) Do not
allow attachments to be saved or opened that could potentially be a
virus.
=20
I have always argued that Microsoft should have this setting enabled as
default, to reduce the number of worms spreading, due to the nature that
most people just seem to open any and all attachments they receive,
without giving it a second thought.=20
=20
But today I was contacted by David McSpadden, a Network Administrator
from the Indiana Members Credit Union, who asked me for some advise on a
problem he seemed to be having: When he tried to forward an e-mail with
a "blocked" attachment, the attachment becomes available to be run or
saved!
=20
I tried the same on my install of Windows XP / OE6, and sure enough.....
=20
=20
Please note that I'm planning to release an article on our Web site, the
concept can be found at
http://www.windows-help.net/microsoft/oe6-attach.html
=20
=20
Regards,
=20
Arie Slob,
VP Information Systems
InfiniSource, Inc.
<arie@infinisource.com>
------_=_NextPart_001_01C17D0F.10E7002E
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml@01C17CCC.028381B0">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"time"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"date"/>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:553679495 -2147483648 8 0 66047 0;}
@font-face
{font-family:"Comic Sans MS";
panose-1:3 15 7 2 3 3 2 2 2 4;
mso-font-charset:0;
mso-generic-font-family:script;
mso-font-pitch:variable;
mso-font-signature:647 0 0 0 159 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;
text-underline:single;}
span.EmailStyle18
{mso-style-type:personal-reply;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
span.SpellE
{mso-style-name:"";
mso-spl-e:yes;}
span.GramE
{mso-style-name:"";
mso-gram-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */=20
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dblue style=3D'tab-interval:.5in'>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'>Dear
<span class=3DSpellE>Arie</span><o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'>Thank
you for taking the time to email us. <span
style=3D'mso-spacerun:yes'> </span>The capability to forward an =
email with
an attachment is a feature in Outlook Express that is by-design. As you
mention, Outlook Express does allow the blocking of unsafe =
attachments.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'>It
looks like Outlook Express successfully blocked the attachment in the =
Inbox for
</span></font><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:black'>David <span =
class=3DSpellE>McSpadden</span></span></font><font
size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
mso-bidi-font-family:"Times New =
Roman";color:black'>.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'>It
is important for users to recognize that <span =
class=3DSpellE>greyed</span>-out
attachments are not safe to be opened and, users should be deleting, not =
forwarding
an email with a <span class=3DSpellE>greyed</span>-out =
attachment.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'>Many
thanks again for taking the time to email =
us.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;mso-bidi-font-family:"Times New =
Roman";color:black'>secure@microsoft.com<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3D"Comic Sans =
MS"><span
style=3D'font-size:10.0pt;font-family:"Comic Sans =
MS";color:blue'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original =
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> Arie Slob
[mailto:arie@infinisource.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> =
</span></font><st1:date
Month=3D"12" Day=3D"4" Year=3D"2001"><font size=3D2 face=3DTahoma><span =
style=3D'font-size:
10.0pt;font-family:Tahoma'>Tuesday, December 04, =
2001</span></font></st1:date><font
size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma'> </span></font><st1:time
Hour=3D"12" Minute=3D"46"><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma'>12:46 PM</span></font></st1:time><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'><br>
<b><span style=3D'font-weight:bold'>To:</span></b> Microsoft Security =
Response
Center<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Microsoft's =
Outlook
Express 6 "E-mail attachment security" Flawed =
</span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Hi,</span></font><o:p></o:p>=
</p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Although this isn't =
anything fancy,
I thought you'd like to know.</span></font><o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>OE6 allows for a setting on =
the <strong><b><font
face=3DArial><span =
style=3D'font-family:Arial'>Security</span></font></b></strong>
tab (<strong><b><font face=3DArial><span =
style=3D'font-family:Arial'>Tools >
Options</span></font></b></strong>) <strong><b><font face=3DArial><span
style=3D'font-family:Arial'>Do not allow attachments to be saved or =
opened that
could potentially be a =
virus.</span></font></b></strong></span></font><o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I have always argued that =
Microsoft
should have this setting enabled as default, to reduce the number of =
worms
spreading, due to the nature that most people just seem to open any and =
all
attachments they receive, without giving it a second =
thought. </span></font><o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>But today I was contacted =
by David
McSpadden, a Network Administrator from the Indiana Members Credit =
Union, who
asked me for some advise on a problem he seemed to be having: When he =
tried to <strong><b><font
face=3DArial><span =
style=3D'font-family:Arial'>forward</span></font></b></strong>
an e-mail with a "blocked" attachment, the attachment becomes
available to be run or saved!</span></font><o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I tried the same on my =
install of
Windows XP / OE6, and sure enough.....</span></font><o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Please note that I'm =
planning to
release an article on our Web site, the concept can be found =
at</span></font><o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><a
href=3D"http://www.windows-help.net/microsoft/oe6-attach.html">http://www=
.windows-help.net/microsoft/oe6-attach.html</a></span></font><o:p></o:p><=
/p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Regards,</span></font><o:p><=
/o:p></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Arie Slob,<br>
VP Information Systems<br>
InfiniSource, Inc.<br>
<<a =
href=3D"mailto:arie@infinisource.com">arie@infinisource.com</a>></span=
></font><o:p></o:p></p>
</div>
</div>
</body>
</html>
=00
------_=_NextPart_001_01C17D0F.10E7002E--
--------------InterScan_NT_MIME_Boundary--
------=_NextPart_000_00B4_01C17D26.357DF140--
