Vulnerability Development mailing list archives

Re: Outlook HTML VBS (demo)

From: neil.iwamoto () CIS CANON COM (Iwamoto, Neil)
Date: Mon, 22 May 2000 11:38:57 -0700


After creating it with (say) Wordpad, etc. you can also "drag-and-drop" it
onto your Outlook Express Inbox -- all ready for forwarding as a test. This
is a pretty nasty deal -- all the warnings about "don't execute your
attachments" are rendered moot.

By the way, the article that got my interest up enough to write an embedded
VBScript HTML message to verify the problem follows:
http://technews.netscape.com/news/0-1003-200-1823347.html?tag=st
<http://technews.netscape.com/news/0-1003-200-1823347.html?tag=st>
Also, in case you wanted to protect yourself, it turns out that there's a
bug with Outlook Express; i.e. choosing "Prompt" instead of "Disable" for
the Active Scripting option does not appear to work. I've reported it to MS
and have a tracking number -- no response as of yet.
Neil
-----Original Message-----
From: Masial [mailto:mrousseau () SECURED ORG]
Sent: Sunday, May 21, 2000 3:42 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Outlook HTML VBS (demo)

The easy way is to build the HTML in notepad with the scripts in it then
open the html doc with Word and send the eMail using the little eMail button
in word.
As you can see, this eMail message would pop a box on a vulnerable outlook
and not on those who don't allow scripting. The only function in this demo
is an alert() box but it could be pretty much anything.

M.

-----Original Message-----
From: VULN-DEV List [ mailto:VULN-DEV () SECURITYFOCUS COM

<mailto:VULN-DEV () SECURITYFOCUS COM> ]On Behalf Of

Joerg Weber
Sent: Sunday, May 21, 2000 12:28 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Outlook, HTML & VBS

BB, Everyone,

this certainly is a lame question but Outlook isn't exactly my speciality
:)

I'm trying to embedd a script into a mail that pops up a MsgBox telling
the user (s)he is vulnerable to vbs-scripting virii. Now, attaching this
is sorta lame. So I'm trying to have Outlook execute the script when the
message is read.
Could someone explain how you create arbitrary HTML code so Outlook
renders/executes it? I've that far just been able to use Outlooks build-in
formating features.

Thanks everyone!

      Joerg

Current thread:

Re: Outlook HTML VBS (demo), (continued)
- Re: Outlook HTML VBS (demo) Hull, Dave (May 22)
- Re: Outlook HTML VBS (demo) Hull, Dave (May 22)
  - Windows DoS code (jolt2.c) Phonix Monkey (May 25)
    - Re: Windows DoS code (jolt2.c) Matthew S. Hallacy (May 27)
    - Re: Windows DoS code (jolt2.c) Brian S. DuRoss (May 27)
    - Re: Windows DoS code (jolt2.c) Matthew S. Hallacy (May 27)
    - Re: Windows DoS code (jolt2.c) Brad Spengler (May 29)
    - Re: Windows DoS code (jolt2.c) Mikael Olsson (May 28)
  - Re: Outlook HTML VBS (demo) Mark Kennedy (May 25)
- Re: Outlook HTML VBS (demo) Zoa_Chien (May 22)
- Re: Outlook HTML VBS (demo) Iwamoto, Neil (May 22)
- Re: Outlook HTML VBS (demo) Hull, Dave (May 23)
- Re: Outlook HTML VBS (demo) andrej () KTU EDU (May 25)
- Re: Outlook HTML VBS (demo) Maxime Rousseau (May 25)