Juan Carlos Garcia Cuartango has found the following security vulnerability in Microsoft Outlook. This is a highly dangerous issue. It allow a remote attacker to email an Outlook user an executable which will be run when the user views the attachment without asking them whether to save it or execute it. This vulnerability could be used by a virus like Melissa to propagate itself across the network. Any user that views the attachment would then become infected. Juan has worked with Microsoft to release a fix. It should be out today. I asked Juan to release full details but because of the potential damage he rather keeps example exploits to himself. That being said there is enough details here to reverse engineer the vulnerability. If anyone figures them post to the list. Quick fix: Disable Javascript in Outlook. This is BUGTRAQ ID 775. You can view our vulnerability database entry at: http://www.securityfocus.com/bid/775 Message-ID: <001501bf29d0$db3b5ba0$6480e381@home> From: "Juan Carlos Garcia Cuartango" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: MS Outlook alert : Cuartango Active Setup Date: Mon, 8 Nov 1999 11:05:57 +0100 X-Mailer: Microsoft Outlook Express 5.00.2314.1300 Hi , I believe to have discovered a major security issue affecting the majority of MS e-mail programs : - Outlook Express 4 - Outlook Express 5 - Outlook 98 - Outlook 2000 The vulnerability allows the execution any program just after opening any mail attachment like MID,WAV,GIF,MOV,TXT, XYZ ... The hole comes from the fact that Outlook programs will create attached files in the temporary directory ,usually C:\TEMP in Windows NT or C:\WINDOWS\TEMP in Windows 95-98 using the original name of the attached file. If the detached file is in fact a cabinet file containing a software package any action on the victima machine can be taken using the MS ActiveX component for software installation (Active Setup component). There is a high risk when the exploit uses files like MID, a "double click" will inmediately open the Multimedia player withuot ask the user about any risk. I think this is an important issue, the method I have described could be used as a way to widely deploy a virus because few people will suspect about an innocent multimedia attachment (Outlook programs tend to trust Multimedia attachments). There is a workaround : Change the temporary directories location defined in the environment variables %TEMP% and %TMP%. Make this variables to point over an unpredictable path. Another workaround would be the traditional one : disable active scripting. MS was informed about the issue last 12 October . They are supposed to inmediately release a fix. Regards, Juan Carlos Garc�a Cuartango ----- End forwarded message ----- -- Elias Levy Security Focus http://www.securityfocus.com/
