Bugtraq mailing list archives
Re: MS Outlook alert : Cuartango Active Setup
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Mon, 8 Nov 1999 13:04:23 -0800
At 11:54 AM 11/8/99 -0800, Elias Levy wrote:
Juan Carlos Garcia Cuartango has found the following security vulnerability in Microsoft Outlook. This is a highly dangerous issue. It allow a remote attacker to email an Outlook user an executable which will be run when the user views the attachment without asking them whether to save it or execute it.
Quick fix: Disable Javascript in Outlook.
There's a wrinkle in this one that I think people need to be aware of - Outlook uses the security zones that IE also uses. By default, everything runs in the 'Internet Zone', though you can get your mail to run in the "Untrusted Zone". Even if your mail is currently set to run in the untrusted zone, any HTML attachments will run in the "Internet Zone". I have now been running my e-mail client at work using the untrusted zone (and actually tweaked beyond that) for a couple of months, and have not noticed any ill effects at all. I also like to view HTML attachments as pure text to see what is in there, but then I'm fairly paranoid and recognize that end-users can't be expected to do that. If you want to make sure you've got all the bases covered, then you need to disable java script in both zones. I also recommend investigating all sorts of attachments carefully. David LeBlanc dleblanc () mindspring com
Current thread:
- Netscape Web Publisher, (continued)
- Netscape Web Publisher Tim Jones (Nov 06)
- Re: Netscape Web Publisher Mnemonix (Nov 07)
- Re: Netscape Web Publisher nblasgen () NICK REFRACT COM (Nov 07)
- vwxploit.c unix port Sebastian (Nov 08)
- Windows NT Spooler Service. Avri Schneider (Nov 07)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
- MS Outlook alert : Cuartango Active Setup Elias Levy (Nov 08)
- BigIP - bigconf.cgi holes Guy Cohen (Jun 13)
- Re: MS Outlook alert : Cuartango Active Setup David LeBlanc (Nov 08)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
- Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
- flaw in dmesg under Solaris echo8 (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
- Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
- networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
- [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
- Netscape Web Publisher Tim Jones (Nov 06)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)