[ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically

From: Sandro Gauci (sandro@GFI.COM)
Date: 02/12/02


Date:         Tue, 12 Feb 2002 12:38:40 +0100
From: Sandro Gauci <sandro@GFI.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

GFI Security Labs Advisory
http://www.gfi.com/

----[Title:

[ GFISEC04102001 ] Internet Explorer and Access allow macros to be
                     executed automatically

----[Published:

12.FEB.2002

----[Vendor Status:

Microsoft has been informed and we have worked with them to release
a patch.

----[Systems Affected:

Windows machines with :

   * Microsoft Access

     and

   * Internet Explorer version 5 till version 6. Older versions may be
     vulnerable as well.

   * Outlook Express 2000,

   * Outlook Express 98,

   * Outlook 2000,

   * Outlook 98

   * possibly other HTML and/or
     Javascript enabled email clients.

----[The problem:

GFI, developer of email content checking & network security
software, has recently discovered a security flaw within
Internet Explorer which allows a malicious user to run
arbitary code on a target machine as it attempts to view
a website or an HTML email.

The problem is exploited by embedding a VBA code within a
Access database file (.mdb) within an Outlook Express email
file or Multipart HTML (mht) file.

If the email file is accessed using Internet Explorer, the
attachment may be automatically executed without triggering
any security alerts. The exploit will work regardless of
the security level (in our labs, we also tested it with High
Security and Restricted Zone).

This may be exploited through email by using an iframe
tag or using Active Scripting to call the malicious file
through an HTML email, allowing Internet Explorer to
automatically access the exploit EML file.

----[Proof of concept Exploit:

A live example of the named exploit is available on:

http://www.gfi.com/emailsecuritytest

----[Solution:

Filtering HTML email for JavaScript and similarly scripting
capabilities as well as checking for IFRAME will prevent the
exploit to be run through email. This can be easily done
using GFI's Mail essentials & Mail Security for Exchange 2000.

GFI Security Labs also recommends filtering out mdb files.

You might also want to consider blocking access to EML,
MHTML and MHT files through HTTP and SMTP. It is also
important to apply the patch distributed by Microsoft.

----[Reference:

http://www.gfi.com/emailsecuritytest

----[Contact Information:

Sandro Gauci
GFI Security Labs
sandro@gfi.com
http://www.gfi.com

GFI - Security & communications products for Windows NT/2000
http://www.gfi.com

**********************************************************
This mail was content checked for malicious code or viruses
by Mail essentials. Mail essentials for Exchange/SMTP is an
email security, content checking & anti-virus gateway that
removes all types of email-borne threats before they can affect
your email users. Spam, viruses, dangerous attachments & offensive
content can be removed before they reach your mail server.
In addition it has server-based email encryption, disclaimers
and other email features.
***********************************************************

In addition to Mail essentials, GFI also produces the FAXmaker
fax server product range & LANguard internet access control &
intrusion detection. For more information on our products please
visit http://www.gfi.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



Relevant Pages

  • [NT] Microsoft Agent Remote Code Execution (MS07-020)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Outlook Express open HTML e-mail messages in the Restricted sites zone. ... section for more information about Internet Explorer Enhanced Security ...
    (Securiteam)
  • [NT] Vulnerability in Microsoft Agent Allows Code Execution (MS06-068)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... for more information about Internet Explorer Enhanced Security ... Configure Internet Explorer to prompt before running ActiveX Controls ...
    (Securiteam)
  • [NT] Vulnerability in Microsofts HTML Converter Could Allow Code Execution
    ... Beyond Security in Canada ... to promote the most advanced vulnerability assessment solutions today. ... Internet Explorer on Windows Server 2003 runs in Enhanced ... all intranet Web sites and all Universal Naming Convention paths ...
    (Securiteam)
  • [NT] Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (MS06-073)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... allow-list for ActiveX controls in Internet Explorer 7. ...
    (Securiteam)
  • [NT] Cumulative Patch for Internet Explorer (MS03-040)
    ... Get your security news from a reliable source. ... all previously released patches for Internet Explorer 5.01, ... * A vulnerability that occurs because Internet Explorer does not properly ... could be possible for an attacker who exploited this vulnerability to run ...
    (Securiteam)