Re: ROCKET SCIENCE: Outllook 2003

From: Fritz Öhman (techie_at_HOME.SE)
Date: 05/20/04

  • Next message: Paul Szabo: "Eudora 6.1.1 attachment spoof, LaunchProtect"
    Date:         Thu, 20 May 2004 12:18:34 +0200
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Russ,

    Just noting that this does not work here, ie the file does not open
    automatically. After changing settings, unchecking 'read mail as plain
    text', I get a graphic saying 'malware' and an embedded object that, *when*
    clicked (not automatically) plays a small video and then I get asked if I
    want to save or run an untrusted .EXE.

    Fwiw

    Fritz

    > -----Original Message-----
    > From: Windows NTBugtraq Mailing List
    > [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of http-
    > equiv@excite.com
    > Sent: den 18 maj 2004 22:21
    > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    > Subject: ROCKET SCIENCE: Outllook 2003
    >
    > Monday, May 17, 2004
    >
    > Technical final step to 'silent delivery and installation of an
    > executable on the target computer, no client input other than
    > reading an email' this can be achieved with the highly
    > touted 'secure-by-default' Outlook 2003 mail client from the
    > craftsman known as 'Microsoft'.
    >
    > Default settings of the 'gadget' are: restricted zone which
    > means no active x controls, no scripting, no file downloads etc.
    >
    > This can all very easily be bypassed by simply embedding in a
    > rich text message our OLE object, one Windows Media Player. We
    > then point our source url to our media file which includes or
    > now run-of -the mill 0s url flip and simply by previewing or
    > opening the email message invoke our device known as Internet
    > Explorer to proxy our manipulation of the recipient's machine.
    >
    > In typical fashion despite the settings in the Windows Media
    > Player being set to 'disallow' scripting in media files, despite
    > Outlook 2003's 'highly' secure default setting of view html
    > content in the so-called 'restricted zone'; it all still works !
    >
    > [screen shot: http://www.malware.com/rockitman.png 46KB]
    >
    > This now all automates our process and coupling it with our
    > previous first step finding:
    >
    > [http://www.securityfocus.com/bid/10307]
    >
    > all we need to do next is our second step and embed the entire
    > package including the media file into the mail message and send
    > it along its merry way.
    >
    > The whole Outlook 2003 'gadget' is broken.
    >
    > Working Example:
    >
    > Simply view the mail message:
    >
    > http://www.malware.com/rockIT.zip
    >
    > Notes:
    >
    > 1. Miserable selection of full screen = true can allow us to run
    > our 'video' in WMP full screen mode. How about that: forget
    > about html spam messages, now we have full screen video
    > advertisements on opening the mail message.
    > 2. Tested on XP, 2K3 POP mail client settings Outlook 2003,
    > Exchange Server settings unknown at this time
    > 3. Subject to initial WMP settings a notification of connection
    > settings can pop up, however generally dismissed at first
    > running of WMP along with neither yes or no selection having an
    > effect [as usual].
    > 4. Firewalls should flag Outlook itself trying to escape out on
    > port 80. Nevertheless if all embedded no need for remote hosting.
    > 5. Disable HTML settings or get another mail client [better of
    > the two as below]
    > 6. Lots more where this came from
    >
    >
    > End Call
    >
    > --
    > http://www.malware.com
    >
    > -----
    > Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
    > identify and fix all PC's that are exposed to the Sasser worm! Our
    > solution
    > provides quick and seamless discovery and deployment of all your PC
    > computer's Microsoft security patching needs. Regardless of where you're
    > PC's reside (inside the LAN, at home or on the road), Patch Automation
    > gets
    > the job done. Contact us to learn about our free 30-day trial version at
    > 800-344-1150 or visit our website at <http://www.patchautomation.com>
    > -----

    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.688 / Virus Database: 449 - Release Date: 2004-05-18
    -----
    Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
    identify and fix all PC's that are exposed to the Sasser worm! Our
    solution provides quick and seamless discovery and deployment of all your
    PC computer's Microsoft security patching needs. Regardless of where
    you're PC's reside (inside the LAN, at home or on the road), Patch
    Automation gets the job done. Contact us to learn about our free 30-day
    trial version at 800-344-1150 or visit our website at
    <http://www.patchautomation.com>
    -----
    

  • Next message: Paul Szabo: "Eudora 6.1.1 attachment spoof, LaunchProtect"

    Relevant Pages

    • Resizing forms to screen area settings
      ... 1024 x 768 screen area, I installed in on a users workstation who has their ... settings at 800 x 600, thus enlarging the screens off the desktop area. ... was some automation by way of procedure that can automatically detect and ...
      (microsoft.public.access.forms)
    • Resizing forms to screen area settings
      ... 1024 x 768 screen area, I installed in on a users workstation who has their ... settings at 800 x 600, thus enlarging the screens off the desktop area. ... was some automation by way of procedure that can automatically detect and ...
      (microsoft.public.access.formscoding)
    • SlideShowTransition Speed
      ... While trying to access Powerpoint object model programatically via automation, I realize that the available settings for slides transition speed are as follow: ...
      (microsoft.public.powerpoint)
    • OLE Automation + Sending Mails
      ... Is it possible to view a preview of the mail message when you're using OLE ... Automation for setting mails. ...
      (borland.public.delphi.thirdpartytools.general)