COMMAND

    MS Office

SYSTEMS AFFECTED

    MS Office SR1+June patch

PROBLEM

    Carlisle Martin  found following.   After installing  the  Outlook
    2000 security patch,  the following Visual  Basic script will  ask
    the user twice for authorization before proceeding:

        Set golApp = CreateObject("Outlook.Application")
        Set objNewMail = golApp.CreateItem(olMailItem)
        With objNewMail
            .Recipients.Add "nobody@nowhere.com"
            blnResolveSuccess = .Recipients.ResolveAll
            .subject = "test"
            .body = "body"
            If blnResolveSuccess Then
                .Send
            Else
                .Display
            End If
        End With

    Martin has developed an Ada 95 program that will answer the dialog
    with no  intervention from  the user  (testing was  performed on a
    Windows 2000 machine running Office 2000 SR-1a with the June  2000
    security patch installed).   In combination with  either a  Trojan
    Horse, or  a buffer  overflow (such  as the  recently reported GMT
    bug), a sophisticated  programmer could write  a virus similar  to
    the ILoveYou worm which would be self-replicating and utilize  the
    Outlook address  book.   The key  insight is  that another program
    can  send  messages  to  the  dialog  window.   Using  MS Spy++ to
    examine  the  messages  that  are  generated  when a user actually
    clicks the button enable me to recreate them.

SOLUTION

    Microsoft  was  informed  of  this  scenario  with complete source
    code.  They claim that  the result requires a compiled  executable
    and can not be scripted (I  have not falsified this claim).   They
    state  that  they  will  investigate  this  scenario  for the next
    version of  Office.Microsoft was  informed of  this scenario  with
    complete  source  code.   They  claim  that  the result requires a
    compiled executable and can not be scripted.  They state that they
    will investigate this scenario for the next version of Office.