OUTLOOK 2003: OuchLook

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 05/19/04

  • Next message: Thor Larholm: "Re: Silent Runners VBS script available"
    Date:         Tue, 18 May 2004 19:23:26 -0400

    -----Original Message-----
    From: http-equiv@excite.com [mailto:1@malware.com]
    Sent: Tuesday, May 18, 2004 4:23 PM
    To: NTBugtraq@listserv.ntbugtraq.com
    Cc: Russ Cooper
    Subject: OUTLOOK 2003: OuchLook

    Sunday, May 09, 2004

    Outlook 2003 the premier mail client from the company
    called 'Microsoft' certainly appears to have a lot of security
    features built into it. Cursory examination shows excellent
    thought into 'spam' containment, 'security' consideration and
    many other little 'things'.

    However there is a fundamental flaw with this particular device.
    That is, it copies our arbitrary file with given name into a
    known and easily reachable location:

    <img src="malware.htm" style="display:none">

    when embedded into the body of a mail message and when the
    recipient replies, will copy itself into temp folder:

    C:\\Documents and Settings\\<user name>\\Local

    This location can be quite easily reached without having to know
    the user name [courtesy of jelmer]:

    <a href="shell:user profile\\local

    The scenario is 'painstakingly' trivial. Send your co-hort at
    the office an email that requires a reply. Embed in it, an html
    file out of sight. Either send them a second message with any
    number of 'spoofed' url schemes pointing to the file in the
    temp, or, direct them to a web site which will reach in into the
    temp folder via the same url and install and run our malicious

    Very Silly Design Error.

    End Call

    Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
    identify and fix all PC's that are exposed to the Sasser worm! Our solution
    provides quick and seamless discovery and deployment of all your PC
    computer's Microsoft security patching needs. Regardless of where you're
    PC's reside (inside the LAN, at home or on the road), Patch Automation gets
    the job done. Contact us to learn about our free 30-day trial version at
    800-344-1150 or visit our website at <http://www.patchautomation.com>

  • Next message: Thor Larholm: "Re: Silent Runners VBS script available"