Re: O UT LO OK E XPRE SS 6 .00 : broken

From: Thor Larholm (thor@PIVX.COM)
Date: 02/24/03

  • Next message: http-equiv@excite.com: "Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part II"
    Date:         Mon, 24 Feb 2003 02:13:23 +0100
    From: Thor Larholm <thor@PIVX.COM>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Outlook Express is not the only vulnerable product.

    The culprit here is the codebase localPath vulnerability which was patched
    in Internet Explorer by MS02-015 in March 2002. GreyMagic had more fun with
    this at http://security.greymagic.com/adv/gm001-ie/ which is also the origin
    of the example displayed.

    MS02-015 crippled codeBase quite severely in Internet Explorer, completely
    removing most of its functionality in the Internet Zone. It is still
    possible to use this vulnerability in Internet Explorer in any local
    security zone, but getting to that zone in the first place is in itself an
    obstacle.

    Whatever Microsoft patched in MS02-015 (crippling codeBase in the Internet
    Zone to avoid the command execution vulnerability) was only applied to the
    IE-specific parts of MSHTML and not to any shared parts that thirdparty
    programs such as Outlook and Outlook Express utilize. This despite our
    impression that MS02-015 removed the problem.

    This is apparent if you examine Outlook 2000 which can also execute
    arbitrary commands automatically upon reading mails if you have set the
    security zone to the Internet Zone - just like Outlook Express as displayed
    by http-equiv

    The default security zone for Outlook 2000 is the Internet Zone. It is first
    after you apply Office 2000 Service Pack 3 that the default zone is changed
    to the Restricted zone, so remember either to apply O2KSP3 or manually
    change your zone settings to Restricted at your earliest convenience.

    Does Eudora still use the Internet Zone for viewing HTML mail? If so, it is
    also still vulnerable to the codeBase command execution vulnerability, like
    any other application that is embedding MSHTML.

    Regards
    Thor Larholm
    PivX Solutions, LLC - Senior Security Researcher

    Latest PivX research: Multi-Vendor Unreal Engine Advisory
    http://www.pivx.com/press_releases/ueng-adv_pr.html

    ----- Original Message -----
    From: "http-equiv@excite.com" <http-equiv@MALWARE.COM>
    To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
    Sent: Saturday, February 22, 2003 4:36 PM
    Subject: O UT LO OK E XPRE SS 6 .00 : broken

    > Saturday, February 22, 2003
    >
    > Technical silent delivery and installation of an executable no client
    > input other than reading an email or viewing a newsgroup message.
    > Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever.

    Rest of original http-equiv post at
    http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0302&L=ntbugtraq&F=P
    &S=&P=5888

    The rest was snipped to avoid barking from premenstrual antivirus scanners.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



    Relevant Pages

    • Re: O UT LO OK E XPRE SS 6 .00 : broken
      ... Outlook Express is not the only vulnerable product. ... The culprit here is the codebase localPath vulnerability which was patched ... MS02-015 crippled codeBase quite severely in Internet Explorer, ... removing most of its functionality in the Internet Zone. ...
      (Bugtraq)
    • Re: [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken
      ... Outlook Express is not the only vulnerable product. ... The culprit here is the codebase localPath vulnerability which was patched ... MS02-015 crippled codeBase quite severely in Internet Explorer, ... removing most of its functionality in the Internet Zone. ...
      (Full-Disclosure)
    • Re: Serious vulnerabilities (security hole) in IE6
      ... the original vulnerability in the Trusted Sites zone as well as the Internet ... assuming people have predictable domains in their "Trusted Sites" ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: outlook security
      ... Internet zone menu on an opened message. ... Teach Yourself Outlook 2003 in 24 Hours ... > works well....by changing security zone to Internet what are the potential ...
      (microsoft.public.outlook)
    • 10 Month Old Vulnerability Continues to Be Core For Exploits
      ... Microsoft needs to decide whether THAT is in fact a ... vulnerability or a feature because without it ... For those not up on these cross zone scenarios... ... internet or restricted zone to the local zone. ...
      (Bugtraq)