RE: PING: Outlook 2003 Spam

["http-equiv () excite com" <1 () malware com>]

I think Mark might be onto something both the vml and the copies 
of named files in the temp folder no longer appear to occur:

http://www.securityfocus.com/bid/10323 
http://www.securityfocus.com/bid/10307 

Those notes are dated 10th and 11th May. On the machine they no 
longer work on, we have a couple XP so-called 'patches' from 
14th May and 17th May with a 3 or 4 office update folders with 
files created on 17th May as well.

How's that for service. Quick, silent patching ! No need to 
bother anyone ! Well done lads.

[unless of course if our little XP test machines are broken and 
we are seeing things]

"Spencer, Mark" <mspencer () evidentdata com> said:

> Hello,
>
> A coworker and I spent much of the day yesterday trying to 
replicate
> this behavior and we were not able to do so.  The only time we 
can get
> Outlook 2003 to pull anything from our server with this code 
is when we
> send the email within our own MS Exchange.  We've tried 
multiple
> clients, multiple SMTP servers, and many variations of the 
code below
> and have not been successful, other than emails sent between 
Exchange
> users.
>
> I have not seen any other comments on this issue.  Is it 
possible
> Microsoft has already patched Outlook 2003 to only allow this 
behavior
> when dealing with a trusted zone?
>
> Mark
>
> -----Original Message-----
> From: http-equiv () excite com [mailto:1 () malware com] 
> Sent: Tuesday, May 11, 2004 8:42 AM
> To: bugtraq () securityfocus com
> Cc: NTBugtraq () listserv ntbugtraq com
> Subject: PING: Outlook 2003 Spam
>
>
>
> Tuesday, May 11, 2004
>
> Outlook 2003 the premier mail client from the company 
called 'Microsoft'
> certainly appears to have a lot of security features built 
into it.
> Cursory examination shows excellent thought into 'spam' 
containment,
> 'security' consideration and many other little 'things'. So 
much so the
> default rendering of html is in so-called 'restricted zone' 
which
> disallows nearly everything [frames, iframes, objects, 
scripting etc.].
> In addition 'special' spam measures are taken to disallow 
graphic
> downloads from a remote server in html email which can be used 
to verify
> recipients:
>
> [screen shot: http://www.malware.com/duhlook.png 40KB]        
>
> The Key Word is: nearly 
>
> Utilising Outlook's own bizarre scheMAH ! which comprises 
a 'proper'
> frame along with an src pointing to our remote server, we are 
able to
> ping the server and confirm our recipient has viewed our 
email. We don't
> require graphics or frames or iframes to do that:
>
> <v:vml frame style="LEFT: 50px; WIDTH: 300px; POSITION: 
> relative; TOP: 30px; HEIGHT: 200px" 
> src = "http://www.malware.com/duh.txt#malware";></v:vmlframe>
>
> <HTML>
> <HEAD>
> <STYLE>
> v\:* { behavior: url(#default#VML); }
> </STYLE>
> <XML:NAMESPACE NS="urn:schemas-microsoft-com:vml" PREFIX="v"/> 
</HEAD>
> Notes:
>
> 1. We now commence our examination of the Microsoft Office 
2003 suite,
> we're a bit late, but it has taken all this time to save up to 
buy the
> thing 2. Quick 72 hour prodding reveals that this 'perceived' 
premier
> device known as Outlook 2003 is in fact riddled with holes 3. 
Do not
> receive or open any emails period.  Use string and tin cans if 
you must
> communicate
>
>
>
> End Call
>
>
> --
> http://www.malware.com



-- 
http://www.malware.com