COMMAND

    IE and Outlook

SYSTEMS AFFECTED

    IE and Outlook 5.x

PROBLEM

    Georgi Guninski found following.   There is a vulnerability in  IE
    and Outlook  5.x for  Win9x/WinNT (probably  others) which  allows
    executing  arbitrary  programs  using  .eml  files.   This  may be
    exploited when browsing  web pages or  openining an email  message
    in Outlook.  This may lead to taking control over user's computer.
    It is also possible to read and send local files.

    The problem  is creating  files in  the TEMP  directory with known
    name and  arbitrary content.   One may  place a  .chm file  in the
    TEMP directory which contains the "shortcut" command and when  the
    .chm file  is opened  with the  showHelp() method  programs may be
    executed.   This  vulnerability  may  be  exploited  by HTML email
    message in Outlook.

    The code that must be included in a .eml file is:

        ....
        <IFRAME align=baseline alt="" border=0 hspace=0 src="cid:000701bf8458$eb570380$dc0732d4@bbb"></IFRAME>
        <SCRIPT>
        setTimeout('window.showHelp("c:/windows/temp/abcde.chm");',1000);
        setTimeout('window.showHelp("c:/temp/abcde.chm");',1000);
        </SCRIPT>
        .....
        ------=_NextPart_000_0008_01BF8469.AEE8FB40
        Content-Type: application/binary;
	        name="abcde.chm"
        Content-Transfer-Encoding: base64
        Content-ID: <000701bf8458$eb570380$dc0732d4@bbb>

        ...Put the base64 encoded .chm file here...
        ------=_NextPart_000_0008_01BF8469.AEE8FB40--

    Demonstration which starts Wordpad:

        http://www.nat.bg/~joro/eml.html

    This works  fine on  NT4 Server,  SP5, IE  5.00.2919.6307, but  it
    prompts whether one wants  to save it or  run it.  If  you run it,
    wordpad is launched.   This is from  the web page  demo.  It  also
    works on NT Workstation 4.0 SP4, IE 5.00.2314.1003, Outlook  2000.
    It prompts to save or run -  if you choose Run, it works.   If you
    choose Cancel, it works.  If you close the box with Esc, it  still
    works.

    The file is created  by IE or some  of its components.   AFAIK not
    all .eml files create temp  files.   User specific  temp directory
    is better than the default one.

SOLUTION

    Disable  Active  Scripting.   This  doesn't  work for Win2000 with
    IE5.0. It only prompts you for saving *.chm file, without running.
    You can accept this and run, but this exclude working  background.
    Netscape  Communicator  is  not  affected,  don't  know  for other
    browsers.