Vulnerability Development mailing list archives
Re: Outlook HTML VBS (demo)
From: neil.iwamoto () CIS CANON COM (Iwamoto, Neil)
Date: Mon, 22 May 2000 11:38:57 -0700
After creating it with (say) Wordpad, etc. you can also "drag-and-drop" it onto your Outlook Express Inbox -- all ready for forwarding as a test. This is a pretty nasty deal -- all the warnings about "don't execute your attachments" are rendered moot. By the way, the article that got my interest up enough to write an embedded VBScript HTML message to verify the problem follows: http://technews.netscape.com/news/0-1003-200-1823347.html?tag=st <http://technews.netscape.com/news/0-1003-200-1823347.html?tag=st> Also, in case you wanted to protect yourself, it turns out that there's a bug with Outlook Express; i.e. choosing "Prompt" instead of "Disable" for the Active Scripting option does not appear to work. I've reported it to MS and have a tracking number -- no response as of yet. Neil -----Original Message----- From: Masial [mailto:mrousseau () SECURED ORG] Sent: Sunday, May 21, 2000 3:42 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Outlook HTML VBS (demo) The easy way is to build the HTML in notepad with the scripts in it then open the html doc with Word and send the eMail using the little eMail button in word. As you can see, this eMail message would pop a box on a vulnerable outlook and not on those who don't allow scripting. The only function in this demo is an alert() box but it could be pretty much anything. M.
-----Original Message----- From: VULN-DEV List [ mailto:VULN-DEV () SECURITYFOCUS COM
<mailto:VULN-DEV () SECURITYFOCUS COM> ]On Behalf Of
Joerg Weber Sent: Sunday, May 21, 2000 12:28 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Outlook, HTML & VBS BB, Everyone, this certainly is a lame question but Outlook isn't exactly my speciality :) I'm trying to embedd a script into a mail that pops up a MsgBox telling the user (s)he is vulnerable to vbs-scripting virii. Now, attaching this is sorta lame. So I'm trying to have Outlook execute the script when the message is read. Could someone explain how you create arbitrary HTML code so Outlook renders/executes it? I've that far just been able to use Outlooks build-in formating features. Thanks everyone! Joerg
Current thread:
- Re: Outlook HTML VBS (demo), (continued)
- Re: Outlook HTML VBS (demo) Hull, Dave (May 22)
- Re: Outlook HTML VBS (demo) Hull, Dave (May 22)
- Windows DoS code (jolt2.c) Phonix Monkey (May 25)
- Re: Windows DoS code (jolt2.c) Matthew S. Hallacy (May 27)
- Re: Windows DoS code (jolt2.c) Brian S. DuRoss (May 27)
- Re: Windows DoS code (jolt2.c) Matthew S. Hallacy (May 27)
- Re: Windows DoS code (jolt2.c) Brad Spengler (May 29)
- Windows DoS code (jolt2.c) Phonix Monkey (May 25)
- Re: Windows DoS code (jolt2.c) Mikael Olsson (May 28)