[NT] MHTML vulnerability in Outlook Express
From: support@securiteam.com
Date: 04/24/03
- Previous message: support@securiteam.com: "[NT] Xeneo Web Server Denial of Service Vulnerability (? Attack)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 24 Apr 2003 20:32:08 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
MHTML vulnerability in Outlook Express
------------------------------------------------------------------------
SUMMARY
Microsoft Outlook Express is the default mail agent installed with
Microsoft Windows.
A vulnerability in Outlook Express allows an attacker to run code of the
attacker's choice on a user's machine. To exploit the vulnerability,
attacker would have to be able to cause Windows to open a specially
constructed MHTML URL, either on a web site or included in an HTML email
message.
DETAILS
Vulnerable systems:
Microsoft Outlook Express 5.5
Microsoft Outlook Express 6.0
Details:
The vulnerability could allow an attacker to read files or launch a
program on the user's computer in the Local Computer Zone.
If an attacker were to host a malicious website that contained an MHTML
document and could convince a user to visit that site, they could
potentially exploit this vulnerability and read files or launch
executables already present on the users computer.
MHTML stands for MIME Encapsulation of Aggregate HTML. MHTML is an
Internet standard that defines the MIME (Multipurpose Internet Mail
Extensions) structure used to send HTML content in e-mail message bodies.
The MHTML URL Handler in Windows is part of Outlook Express and provides a
URL type that can be used on the local machine. This URL type (MHTML://)
allows MHTML documents to be launched from a command line, from Start/Run,
using Windows Explorer or from within Internet Explorer.
A vulnerability exists in the MHTML URL Handler that allows any file that
can be rendered as text to be opened and rendered as part of a page in
Internet Explorer. As a result, it would be possible to construct a URL
that referred to a text file that was stored on the local computer and
have that file render as HTML. If the text file contained script, that
script would execute when the file was accessed. Since the file would
reside on the local computer, it would be rendered in the Local Computer
Security Zone. Files that are opened within the Local Computer Zone are
subject to fewer restrictions than files opened in other security zones.
Using this method, an attacker could attempt to construct a URL and either
host it on a website or send it via email. In the web based scenario,
where a user then clicked on a URL hosted on a website, an attacker could
have the ability to read or launch files already present on the local
machine. In the case of an e-mail borne attack, if the user was using
Outlook Express 6.0 or Outlook 2002 in their default configurations, or
Outlook 98 or 2000 in conjunction with the Outlook Email Security Update,
then an attack could not be automated and the user would still need to
click on a URL sent in the e-mail. However if the user was not using
Outlook Express 6.0 or Outlook 2002 in their default configurations, or
Outlook 98 or 2000 in conjunction with the Outlook Email Security Update,
the attacker could cause an attack to trigger automatically without the
user having to click on a URL contained in an e-mail. In both the web
based and e-mail based cases, any limitations on the user's privileges
would also restrict the capabilities of the attacker's script.
Applying the update listed in Microsoft Security Bulletin MS03-004 --
Cumulative Patch for Internet Explorer-will help block an attacker from
being able to load a file onto a user's computer and prevent the passing
of parameters to an executable. This means that an attacker could only
launch a program that already existed on the computer-provided the
attacker was aware of the location of the program-and would not be able to
pass parameters to the program for it to execute.
MHTML is a standard for exchanging HTML content in e-mail and as a result
the MHTML URL Handler function has been implemented in Outlook Express.
Internet Explorer can also render MHTML content, however the MHTML
function has not been implemented separately in Internet Explorer - it
simply uses Outlook Express to render the MHTML content.
Mitigating factors:
For the web-based scenario, the attacker would have to host a web site
that contained a web page used to exploit this vulnerability and entice a
user to visit it. An attacker would have no way to force a user to visit
the site. Instead, the attacker would need to lure the user there,
typically by getting the user to click on a link to the attacker's site.
The HTML mail-based attack scenario would be blocked by Outlook Express
6.0 and Outlook 2002 in their default configurations, and by Outlook 98
and 2000 if used in conjunction with the Outlook Email Security Update.
Exploiting the vulnerability would allow the attacker only the same
privileges as the user. Users whose accounts are configured to have few
privileges on the system would be at less risk than ones who operate with
administrative privileges.
If the cumulative patch for Internet Explorer MS03-004 has been installed,
known means by which an attacker may place a file onto a user's computer
will be blocked.
In order to invoke an executable already present on the local system, an
attacker must know the path to that executable.
Download Patch:
Microsoft Outlook Express
<http://www.microsoft.com/windows/ie/downloads/critical/330994/default.asp
>
http://www.microsoft.com/windows/ie/downloads/critical/330994/default.asp
ADDITIONAL INFORMATION
The original Microsoft advisory can be found at:
<http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-014.asp> http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-014.asp
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Xeneo Web Server Denial of Service Vulnerability (? Attack)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
