Great message posted to the Bugtraq security list showing how easy it is to execute code on the “secure by default” Outlook 2003. Maybe the much touted security cleanup at Redmond isn’t as good as some think.
By “easy” above I mean “easy as described by someone who does this sort of thing for a living, not for me” of course. Basically the goal of “silent delivery and installation of an executable on the target computer, no client input other than reading an email” (default configuration, activeX disabled, etc) goes something like this:
- embed OLE to call Windows Media Player in rich text message
- use a bunch of 0’s to get Outlook to call up IE
- convince IE to execute the arbitrary executable file by putting it in an <img> tag.
(Obvious “profit” step ignored 🙂 The steps are something like that anyway, read the message, it’s much more coherant than this post. So Dana, would your solution prevent this? Wonder how many months it’ll be before this sort of thing gets patched by the boys in Redmond? Maybe by 2009 when Longhorn comes out….