outlook security alert

  • From: "Jamie A. Byrnes" <jabyrnes@xxxxxxxxxxxxxxxxx>
  • To: <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 24 Apr 2003 10:21:16 +0930



For those not on MS's security mailing list (or those who want another
take on this)


Microsoft have released a new security advisory affecting Outlook
Express v5.5, v6.0, Outlook 98, 2000, 2002 and Internet Explorer,
specifically using the MHTML standard, or MIME encapsulation of HTML.
The associated advisories are:


MS03-014 http://www.microsoft.com/technet/security/bulletin/MS03-014.asp

MS03-015 http://www.microsoft.com/technet/security/bulletin/MS03-015.asp


The advisories list the associated roll-up patches which I strongly
advise is installed on all OE clients.


Essentially, the MHTML URL tag (MHTML://) can be used to run local
scripts, which will then run in the IE local computer security zone,
which has few restrictions as to what it can't do. If the IE cumulative
patch listed in MS03-004 is not installed the attacker could also locate
a script file onto the local computer for it to run.


Also note that Outlook 98 and Outlook 2000 without the email security
update, and Outlook 2002 and OE v 6.0 not in its default configuration
can run this URL simply by opening the message. Other versions need to
click on the URL to be affected.


Put together this means that under some standard configurations an
attacking script can be copied and run with few restrictions, using the
users privileges on the local computer - ie. VERY BAD! Given how easy it
is to utilize this flaw, expect nasty worms using it very soon from the
script kiddies. And if the user is a local or domain admin, utoh!


An interesting omission from this advisory is any patch/update/config
change for Outlook clients. Assuming that you have the email security
update installed, or Outlook 2002 is in its default config (ie. open
HTML mail in the restricted sites zone), then clicking the link will
still activate the script. Guaranteed that with the right prompt a large
number of users will click it anyway - "see Avril topless" yeehar!


I will advise if/when Outlook patches become available.





Other related posts:

  • » outlook security alert