[24243] in bugtraq
[ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically
daemon@ATHENA.MIT.EDU (Sandro Gauci)
Tue Feb 12 14:50:25 2002
Content-Type: text/plain;
charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Date: Tue, 12 Feb 2002 12:24:00 +0100
Content-Class: urn:content-classes:message
Message-ID: <5D2A48CAB588334D988A9407DDE02F0946AF16@mailserver.gfimalta.com>
From: "Sandro Gauci" <sandro@gfi.com>
To: <bugtraq@securityfocus.com>
GFI Security Labs Advisory
http://www.gfi.com/
----[Title:=20
[ GFISEC04102001 ] Internet Explorer and Access allow macros to be=20
executed automatically
----[Published:=20
12.FEB.2002
----[Vendor Status:
Microsoft has been informed and we have worked with them to release
a patch.
----[Systems Affected:=20
Windows machines with :
* Microsoft Access
and
* Internet Explorer version 5 till version 6. Older versions may be=20
vulnerable as well.
* Outlook Express 2000,
* Outlook Express 98,
* Outlook 2000,
* Outlook 98
* possibly other HTML and/or=20
Javascript enabled email clients.
----[The problem:
GFI, developer of email content checking & network security=20
software, has recently discovered a security flaw within=20
Internet Explorer which allows a malicious user to run=20
arbitary code on a target machine as it attempts to view=20
a website or an HTML email.=20
The problem is exploited by embedding a VBA code within a
Access database file (.mdb) within an Outlook Express email=20
file or Multipart HTML (mht) file.=20
If the email file is accessed using Internet Explorer, the=20
attachment may be automatically executed without triggering=20
any security alerts. The exploit will work regardless of=20
the security level (in our labs, we also tested it with High=20
Security and Restricted Zone).
This may be exploited through email by using an iframe=20
tag or using Active Scripting to call the malicious file=20
through an HTML email, allowing Internet Explorer to=20
automatically access the exploit EML file.
----[Proof of concept Exploit:
A live example of the named exploit is available on:
http://www.gfi.com/emailsecuritytest
----[Solution:
Filtering HTML email for JavaScript and similarly scripting=20
capabilities as well as checking for IFRAME will prevent the=20
exploit to be run through email. This can be easily done=20
using GFI's Mail essentials & Mail Security for Exchange 2000.
GFI Security Labs also recommends filtering out mdb files.
You might also want to consider blocking access to EML,=20
MHTML and MHT files through HTTP and SMTP. It is also=20
important to apply the patch distributed by Microsoft.
----[Reference:
http://www.gfi.com/emailsecuritytest
----[Contact Information:
Sandro Gauci
GFI Security Labs
sandro@gfi.com
http://www.gfi.com
GFI - Security & communications products for Windows NT/2000
http://www.gfi.com
**********************************************************
This mail was content checked for malicious code or viruses
by Mail essentials. Mail essentials for Exchange/SMTP is an
email security, content checking & anti-virus gateway that
removes all types of email-borne threats before they can affect
your email users. Spam, viruses, dangerous attachments & offensive
content can be removed before they reach your mail server.
In addition it has server-based email encryption, disclaimers
and other email features.
***********************************************************
In addition to Mail essentials, GFI also produces the FAXmaker
fax server product range & LANguard internet access control &
intrusion detection. For more information on our products please
visit http://www.gfi.com
