Re: Outlook HTML VBS (demo)

[jtb () ATEI COM (Jason Brown)]

This popup showed up on my Netscape Messenger (4.73) when I clicked on
the email (not even an attachment, just opening the email) yet when I
checked the security info regarding the javascript security it says "No
applet or script is allowed to access your computer or network without
your permission. ".  Does that mean my Netscape Messenger is vulnerable
to malign javascripts too or is there something I am missing here?

Jason Brown
jtb () atei com

Masial wrote:

> The easy way is to build the HTML in notepad with the scripts in it
> then open the html doc with Word and send the eMail using the little
> eMail button in word.
>
> As you can see, this eMail message would pop a box on a vulnerable
> outlook and not on those who don’t allow scripting. The only function
> in this demo is an alert() box but it could be pretty much anything.
>
> M.
>
> > -----Original Message-----
> > From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
> > Joerg Weber
> > Sent: Sunday, May 21, 2000 12:28 PM
> > To: VULN-DEV () SECURITYFOCUS COM
> > Subject: Outlook, HTML & VBS
> >
> >
> > BB, Everyone,
> >
> > this certainly is a lame question but Outlook isn't exactly my
> speciality
> > :)
> >
> > I'm trying to embedd a script into a mail that pops up a MsgBox
> telling
> > the user (s)he is vulnerable to vbs-scripting virii. Now, attaching
> this
> > is sorta lame. So I'm trying to have Outlook execute the script when
> the
> > message is read.
> > Could someone explain how you create arbitrary HTML code so Outlook
> > renders/executes it? I've that far just been able to use Outlooks
> build-in
> > formating features.
> >
> > Thanks everyone!
> >
> >       Joerg