COMMAND
Outlook
SYSTEMS AFFECTED
MS Outlook (all versions)
PROBLEM
Juan Carlos Garcia Cuartango has found the following security
vulnerability in Microsoft Outlook. This is a highly dangerous
issue. It allow a remote attacker to email an Outlook user an
executable which will be run when the user views the attachment
without asking them whether to save it or execute it. This
vulnerability could be used by a virus like Melissa to propagate
itself across the network. Any user that views the attachment
would then become infected.
Juan was asked to release full details but because of the
potential damage he rather keeps example exploits to himself.
That being said there is enough details here to reverse engineer
the vulnerability. If anyone figures them post to the list.
This major security issue affects the majority of MS e-mail
programs:
- Outlook Express 4
- Outlook Express 5
- Outlook 98
- Outlook 2000
The vulnerability allows the execution any program just after
opening any mail attachment like MID,WAV,GIF,MOV,TXT, XYZ ...
The hole comes from the fact that Outlook programs will create
attached files in the temporary directory, usually C:\TEMP in
Windows NT or C:\WINDOWS\TEMP in Windows 95-98 using the original
name of the attached file. If the detached file is in fact a
cabinet file containing a software package any action on the
victima machine can be taken using the MS ActiveX component for
software installation (Active Setup component). There is a high
risk when the exploit uses files like MID, a "double click" will
inmediately open the Multimedia player withuot ask the user about
any confirmation.
SOLUTION
Patch availability:
- http://windowsupdate.microsoft.com
- http://www.microsoft.com/msdownload
- http://www.microsoft.com/msdownload/iebuild/ascontrol/en/ascontrol.htm
Microsoft produces security patches for Internet Explorer 4.01 SP2
and higher. In the event that this package is applied to Internet
Explorer 4.01 SP1, the package states that a fix is not needed.
This message is incorrect, as the vulnerability does exist on
Internet Explorer 4.01 SP1. If you are using Internet Explorer
4.01 SP1, please upgrade to the latest version of Internet
Explorer to resolve this issue.
Change the temporary directories location defined in the
environment variables %TEMP% and %TMP%. Make this variables to
point over an unpredictable path. Another workaround would be
the traditional one: disable active scripting.
To guard against the risks presented in Juan's notice, be sure to
adjust control of ActiveX Scripting as well as ActiveX Controls
and Plugins in your Outlook mail client. For Outlook 98, choose
Tools, Options, and then Security from the pull down menus. On
the security tab, adjust the Secure Content Zone to Restricted
Sites. This causes Outlook to employ the Restricted Sites
security profile to all email content received with Outlook.
Also, ensure that the Restricted Sites zone settings are adequate
for your needs. To do so, on the same Outlook Security dialog,
click the Zone Settings button, which opens a new dialog. On the
new dialog, choose the Restricted Sites zone, and click the
Custom Level button, which opens the Security Settings dialog
window. On the dialog window, scroll through the list and adjust
all ActiveX properties to either "Disable" or "Prompt." Keep in
mind that if you set these controls to "Prompt," you may
experience a large number of prompts on the screen while surfing
the Internet. If the prompts become a bother, simply readjust
the ActiveX properties to "Disable."