Re: Outlook HTML VBS (demo)

[mrousseau () LABCAL COM (Maxime Rousseau)]

In reply to some messages..

!  -----Original Message-----
!  From: Hull, Dave
!  Sent: Tuesday, May 23, 2000 8:44 AM
!
!
!  Your message with the alert() call in it did popup on my Outcrook. I
!  tried creating an html message using <Script language =
!  VBScript></VBScript> tags with code that would create a new registry
!  entry, but it failed everytime. This may be because my code wasn't
!  quite right, but I was borrowing heavily from ILY, so I think it was
!  fine.

I think you might want to try <SCRIPT LANGUAGE="VBScript"> blah
</SCRIPT> if the closing vbscript tag did not work. I had never seen a
</vbscript> tag before, maybe thats your problem.

<snip>

!  controls. However, just because you can cause a popup window using
!  the javascript alert() call doesn't mean that a particular
!  installation of Outlook is vulnerable to more dangerous attacks.
!  Nevertheless, it's probably a good idea to have scripts turned off
!  anyway.

I think having a eMail thats capable of processing commands is asking
for trouble. Even if the thing in itself is pretty much sandboxed, its
only a question of time before the next Eyedog vulnerability hits the
streets and whoever wants to penetrate your network races you up on
that. Disabling the scripts is THE solution, we agree on this. I have
yet to hear a single reason why an eMail should have scripts or any
other kind of active content.

Marko Ernvall also said the code was "old and obvious", of course it is.
But you know, those usually work best :) It has implications that some
people dont really get i fear. Say i send spam but im unsure if all the
addresses in my database are accurate, i send you this kind of eMail
that makes an IFRAME in your mail or pops another window to my CGI that
records say your eMail, windows version, OS type and all the other
wonderfull information you can gather via this.

Heres a quick list taken from msdn web workshop that lists info that
someone could tag to your eMail via this trick:

appCodeName             Retrieves the code name of the browser.
appMinorVersion Retrieves the application's minor version value.
appName         Retrieves the name of the browser.
appVersion              Retrieves the platform and version of the
browser.
browserLanguage Retrieves the current browser language.
cookieEnabled   Retrieves whether client-side cookies are enabled in the
browser.
cpuClass                Retrieves a string denoting the CPU class.
javaEnabled             Returns whether Java is enabled.
onLine          Retrieves whether the system is in global offline mode.
platform                Retrieves the name of the user's operating
system.
systemLanguage  Retrieves the default language used by the system.
userAgent               Retrieves a string equivalent to the HTTP
user-agent request header.
userLanguage    Retrieves the current user language.

Thats all very interesting information to know if i want to infect you
or penetrate your network. Information that you leak via letting scripts
run in emails.

We are lucky the Outlook patch fixes all that! (not).

M.
[moo]