Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

MS Outlook alert : Cuartango Active Setup

From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Mon, 8 Nov 1999 11:54:05 -0800

Juan Carlos Garcia Cuartango has found the following security vulnerability
in Microsoft Outlook. This is a highly dangerous issue. It allow a remote
attacker to email an Outlook user an executable which will be run when
the user views the attachment without asking them whether to save it or
execute it. This vulnerability could be used by a virus like Melissa to
propagate itself across the network. Any user that views the attachment
would then become infected. Juan has worked with Microsoft to release
a fix. It should be out today.

I asked Juan to release full details but because of the potential damage
he rather keeps example exploits to himself. That being said there is
enough details here to reverse engineer the vulnerability. If anyone figures
them post to the list.

Quick fix: Disable Javascript in Outlook.

This is BUGTRAQ ID 775. You can view our vulnerability database entry at:
http://www.securityfocus.com/bid/775

Message-ID: <001501bf29d0$db3b5ba0$6480e381@home>
From: "Juan Carlos Garcia Cuartango" <cuartango () teleline es>
To: <aleph1 () securityfocus com>
Subject: MS Outlook alert : Cuartango Active Setup
Date: Mon, 8 Nov 1999 11:05:57 +0100
X-Mailer: Microsoft Outlook Express 5.00.2314.1300

Hi ,
I believe to have discovered  a major security issue affecting the majority of MS e-mail programs :
- Outlook Express 4
- Outlook Express 5
- Outlook 98
- Outlook 2000
The vulnerability allows the execution any program  just after opening any mail attachment like MID,WAV,GIF,MOV,TXT, 
XYZ ...
The hole comes from the fact that Outlook programs will create attached files in the temporary directory ,usually 
C:\TEMP in Windows NT or C:\WINDOWS\TEMP in Windows 95-98 using the original name of the attached file.
If the detached file is in fact a cabinet file containing a software package any action on the victima machine can be 
taken using the MS ActiveX component for software installation (Active Setup component).
There is a high risk when the exploit uses files like MID, a "double click" will inmediately open the Multimedia player 
withuot ask the user about any risk.
I think this is an important issue, the method I have described could be used as a way to widely deploy a virus because 
few people will suspect about an innocent multimedia attachment (Outlook programs tend to trust Multimedia attachments).
There is a workaround :
Change the temporary directories location defined in the environment variables %TEMP% and %TMP%. Make this variables to 
point over an unpredictable path. Another workaround would be the traditional one : disable active scripting.
MS was informed about the issue last 12 October . They are supposed to inmediately release a fix.
Regards,
Juan Carlos GarcĂ­a Cuartango

----- End forwarded message -----

--
Elias Levy
Security Focus
http://www.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: