Bugtraq mailing list archives
MS Outlook alert : Cuartango Active Setup
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Mon, 8 Nov 1999 11:54:05 -0800
Juan Carlos Garcia Cuartango has found the following security vulnerability in Microsoft Outlook. This is a highly dangerous issue. It allow a remote attacker to email an Outlook user an executable which will be run when the user views the attachment without asking them whether to save it or execute it. This vulnerability could be used by a virus like Melissa to propagate itself across the network. Any user that views the attachment would then become infected. Juan has worked with Microsoft to release a fix. It should be out today. I asked Juan to release full details but because of the potential damage he rather keeps example exploits to himself. That being said there is enough details here to reverse engineer the vulnerability. If anyone figures them post to the list. Quick fix: Disable Javascript in Outlook. This is BUGTRAQ ID 775. You can view our vulnerability database entry at: http://www.securityfocus.com/bid/775 Message-ID: <001501bf29d0$db3b5ba0$6480e381@home> From: "Juan Carlos Garcia Cuartango" <cuartango () teleline es> To: <aleph1 () securityfocus com> Subject: MS Outlook alert : Cuartango Active Setup Date: Mon, 8 Nov 1999 11:05:57 +0100 X-Mailer: Microsoft Outlook Express 5.00.2314.1300 Hi , I believe to have discovered a major security issue affecting the majority of MS e-mail programs : - Outlook Express 4 - Outlook Express 5 - Outlook 98 - Outlook 2000 The vulnerability allows the execution any program just after opening any mail attachment like MID,WAV,GIF,MOV,TXT, XYZ ... The hole comes from the fact that Outlook programs will create attached files in the temporary directory ,usually C:\TEMP in Windows NT or C:\WINDOWS\TEMP in Windows 95-98 using the original name of the attached file. If the detached file is in fact a cabinet file containing a software package any action on the victima machine can be taken using the MS ActiveX component for software installation (Active Setup component). There is a high risk when the exploit uses files like MID, a "double click" will inmediately open the Multimedia player withuot ask the user about any risk. I think this is an important issue, the method I have described could be used as a way to widely deploy a virus because few people will suspect about an innocent multimedia attachment (Outlook programs tend to trust Multimedia attachments). There is a workaround : Change the temporary directories location defined in the environment variables %TEMP% and %TMP%. Make this variables to point over an unpredictable path. Another workaround would be the traditional one : disable active scripting. MS was informed about the issue last 12 October . They are supposed to inmediately release a fix. Regards, Juan Carlos GarcĂa Cuartango ----- End forwarded message ----- -- Elias Levy Security Focus http://www.securityfocus.com/
Current thread:
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2), (continued)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Steven Champeon (Nov 07)
- Patch for VirusWall 3.23. dark spyrit (Nov 07)
- Netscape Web Publisher Tim Jones (Nov 06)
- Re: Netscape Web Publisher Mnemonix (Nov 07)
- Re: Netscape Web Publisher nblasgen () NICK REFRACT COM (Nov 07)
- vwxploit.c unix port Sebastian (Nov 08)
- Windows NT Spooler Service. Avri Schneider (Nov 07)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
- MS Outlook alert : Cuartango Active Setup Elias Levy (Nov 08)
- BigIP - bigconf.cgi holes Guy Cohen (Jun 13)
- Re: MS Outlook alert : Cuartango Active Setup David LeBlanc (Nov 08)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
- Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
- flaw in dmesg under Solaris echo8 (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
- Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
- networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
- [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)