Re: NOT GOOD: Outlook Express 6 + Internet Explorer 6
From: Fish (fish_at_INFIDELS.ORG)
Date: Fri, 2 Apr 2004 00:56:50 -0800 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
-----BEGIN PGP SIGNED MESSAGE-----
> This also works just fine on Outlook 2003 in default
> configuration with Exchange Outlook Security Template
> with IE 6.x fully patched. Suspect earlier versions
> of Outlook work also.
Not on my system running Outlook 98 it doesn't. <shrug>
But then again, my Restricted Sites security zone isn't using the
default settings either. ;-)
I honestly don't understand why so many people trust "default"
settings -- especially default SECURITY settings.
I have my Restricted Sites zone configured with everything set to
'Disable'. Double-clicking the exploit .eml file launches Outlook
Express on my system even though I have my system configured to use
Outlook as my email client and not Outlook Express -- go figure.
<shrug> I guess Windows/Internet Explorer ignores your preferences
and uses your file type (file extensions) associations instead
Anyway, Outlook Express launches and the exploit email (form?)
appears with the link highlighted. I click on the link and
immediately get a "Security Alert" popup dialog informing me:
"Your current security settings do not allow you to send HTML
So I don't think the exploit worked. :)
I then opened the exploit .eml file in notepad and copy & pasted the
URL from there (http://www.malware.com/t-bill.html) into the address
bar of Internet Explorer, and guess what?
A completely blank page. :)
Viewing the source to this page reveals the following:
::/foo.html" type="text/x-scriptlet" style="visibility:hidden">
Note that the above tag ("xbject") appears EXACTLY as you see it:
"xbject" and NOT "object" as one might at first suspect. That is
because: 1) my Internet Explorer is configured to use my AdCruncher
Proxy as an HTTP proxy, and 2) my AdCruncher Proxy filtering plugin
is configured to automatically disable all malware type exploits
(scripts, objects, embedded, etc) for all sites that I "do not trust"
(which is ALL sites by default).
So.... what does all this mean?
Well, what it means to ME is:
1. One should not trust "default" security settings and instead to
manually review and modify/set them according to your OWN standards.
2. AdCruncher Proxy -- with its ability to disable any/all
scripting on any/all web sites/pages desired -- has once again proven
itself to be a valuable extra layer of protection against HTTP based
"Fish" (David B. Trout)
Fight Spam! Join CAUCE!
It still needs a LOT of work (and I'm currently in the process of
trying to get that [much needed] work done too -- along with a LOT of
other work besides), as does the default plugin filtering DLL too,
but even in its current state it's *still* (IMO) a halfway decent
product. <shrug> But then, I'm biased I guess. ;-)
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
-----END PGP SIGNATURE-----
NTBugtraq Editor's Note:
Wondering how to unsubscribe from NTBugtraq? Just send a message to Listserv@listserv.ntbugtraq.com with unsubscribe ntbugtraq in the message body, you don't need a subject line. If it says you aren't subscribed, you've either subscribed with a different email address or your address has changed somehow. Just email Russ.Cooper@rc.on.ca and I'll remove you.