Beware Those Insidious Vcards

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/technology/0,1282,41994,00.html

by Michelle Delio
10:00 a.m. Feb. 23, 2001 PST

Those little virtual business cards that some people attach to their
e-mails might be dangerous.

Microsoft announced Friday that a flaw in its Outlook e-mail program
allows crackers to crash or remotely control computers and entire
networks, via virtual business cards (Vcards) that harbor malicious
code

Vcards containing malformed data can cause any action of the
attacker's choice to run on the recipient's machine or a network when
a hapless recipient opens them. They can add, change or delete data,
communicate with websites, reformat a hard drive, and more.

The flaw is located in the segment of the Outlook program that
processes Vcards. Microsoft says damage would be limited only by the
security permissions a user has set on his or her machine.

"Since most people, especially those who aren't backed by a decent
security department, typically leave their machines wide open to any
security breaches, I'd say there's a lot of fun to be had here," said
Andrew Antipass, a security consultant for TechServe.

Ollie Whitehouse, managing security architect at @Stake is credited
for discovering the flaw, which Whitehouse reported to Microsoft in
November 2000.

"Microsoft's reaction, as always in these matters, was professional.
We worked with them to help them replicate the vulnerability. They in
turn developed a patch which they sent to us for testing; additionally
they coordinated with us the release of their advisory and our own,"
Whitehouse said.

Typically, when a flaw is discovered that is not widely known and
therefore doesn't seem to be an immediate threat, the software company
and the discoverer of the flaw will avoid making official
announcements until a patch has been developed.

Once the announcement has been made, it is crucial for users to apply
the patch, as attackers would then be aware of the flaw and will seek
to exploit it.

Microsoft has released a patch and advises anyone who uses Outlook to
download and install the patch immediately.

Whitehouse said that this particular programming flaw is not uncommon
in Microsoft's products.

Atstake has discovered a number of similar vulnerabilities in
Microsoft products from Powerpoint to Media Player.

Outlook 97 and 2000 and Outlook Express 5.01 and 5.5 contain the
"Unchecked Buffer" flaw. An attacker can exploit the flaw by creating
a Vcard, and then altering it with a hexadecimal editor to include a
long string of data.

Normally, when a program's buffer is overrun with random data, the
application would simply lock up or crash. But due to that flaw in
Outlook's buffer, flooding it with data by way of a Vcard can
magically transform the e-mail program into a compliant slave of the
cracker, allowing him or her to make Outlook act as a sort of remote
control over the affected machine.

If a vicious Vcard were opened on a machine whose user was connected
to an unsecured network, or if the affected machine were configured to
allow it control over a network, the attacker could control anything
that is connected to that network.

Essentially, the attacker would be a ghost in the machine, with all
the rights and privileges that machine's user has.

The card does have to be opened to be effective, said Microsoft, and
there is no way that it can be coded to open automatically.

"So the attacker would need to entice the recipient into opening the
mail, then opening the Vcard," Microsoft said in its security
bulletin.

Unfortunately, given the wide and fast spread of recent viruses like
Anna and the Love Bug, it doesn't take much enticing to get computer
users to open and click on attachments.

And "for reasons that are beyond my mortal abilities to figure out,"
many people don't consider Vcards to be an attachment, said Antipass.

Microsoft plans to issue a full security bulletin on the Vcard problem
late Friday.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".