COMMAND

    Incredimail

SYSTEMS AFFECTED

    Incredimail build 1400185 .. possibly earlier builds as well

PROBLEM

    'Obscure'  found  following.   IncrediMail  is  an  advanced email
    program that  offers you,  the user,  an unprecedented interactive
    experience.  With IncrediMail you can tailor your emails according
    to your mood and personality.  Visual effects will entertain  your
    every  sense.   Go  ahead.   Express  yourself  like you never did
    before!

    Well, Incredimail  does really  look quite  cool, with  animations
    similar to the e-mail on Mission Impossible, plus it's free.

    Users can specify  the filename of  the skin, notifyer,  animation
    etc This is specified in a text file called Content.ini, which  is
    found in the compressed skin or animation.

    By appending the  traditional dot dot  to the filename,  malicious
    users can  easily over  write any  files on  the same partition as
    Incredimail is intalled to.  The file is automatically  downloaded
    and  copied  to  the  client  machine  when  it accesses a site or
    e-mail which starts  a download for  the Incredimail file.  If the
    file already exists it tries to over write it.

    See the exploit example:

        http://irc.m0ss.com/eos/advisories/incredimailexploit

    This webpage  will simply  create a  file on  C: (depends on which
    partition you installed Incredimail) named Obscure.dat.

SOLUTION

    Nothing yet.