Gotta Love It

Great message posted to the Bugtraq security list showing how easy it is to execute code on the “secure by default” Outlook 2003. Maybe the much touted security cleanup at Redmond isn’t as good as some think.

By “easy” above I mean “easy as described by someone who does this sort of thing for a living, not for me” of course. Basically the goal of “silent delivery and installation of an executable on the target computer, no client input other than reading an email” (default configuration, activeX disabled, etc) goes something like this:

  • embed OLE to call Windows Media Player in rich text message
  • use a bunch of 0’s to get Outlook to call up IE
  • convince IE to execute the arbitrary executable file by putting it in an <img> tag.

(Obvious “profit” step ignored 🙂 The steps are something like that anyway, read the message, it’s much more coherant than this post. So Dana, would your solution prevent this? Wonder how many months it’ll be before this sort of thing gets patched by the boys in Redmond? Maybe by 2009 when Longhorn comes out….

10 Comments on “Gotta Love It”

  1. It may be possible to prevent this with my software. Would have to verify that. Basically my code would defend against this attack vector if Outlook 2003 was profiled and added in the Application Access Control Policy stating that Outlook has no permission to execute OLE, which would prevent Media Player from executing from that application context.
    Would have to test of course, but thats easy enough.
    A future version later this year will actually have a predefined whitelist that would block this sort of attack be default, right out of the box… depending on the access control policy defined. Your mail client should NEVER execute a media extension by default without getting permission for the IT security group.
    Fun stuff. Gotta love it when Microsoft helps promote my stuff indirectly 😉

  2. Actually, there’s a really easy fix to this… outlook and Outlook Express have an option to force all messages into plain text. No more images in your email means no more “images” to exploit.

  3. My theory Dana is that they are doing it (screwing up security) on purpose so that people will be more willing to accept longhorn and palladium when they are released.
    I’m wondering though if the mail client is actually executing the media type, because it thinks it’s just executing an html rendering of an image, and (as I understand it) the exploit is passed off to IE or the IE widget.
    Darren: (btw, accidently deleted you post, readded which is why the time is off 🙂 The ‘use plaintext’ is great, but not on by default, so it would fail the ‘granny test’. Even worse is (according to the poster) Outlook 2003 is supposed to be secure by default, not secure after you change some options 🙁 Oh well, more people will buy Danas software now I guess!

  4. Engel – obvious, I want to know why the “secure by default” “best practices” outlook 2003 is easily hackable 🙂

  5. Hey Alan,
    Just for the record, I am running XPSP2 and have found that it sets Outlook/Outlook Express HTML rendering OFF by default… even if it was on before. As such, they have made strides to address the “secure by default” in this scenerio.

  6. Darren – actually I’m just really shocked when I get a comment that isn’t comment spam 🙂 Gotta look more carefully I guess….

  7. spam spam Spam SPAM,
    spam spam Spam SPAM,
    spam spam Spam SPAM,
    spam spam Spam SPAM,

  8. If you search, you shall find.

    You gotta feel for Microsoft sometimes. They have the most successful products out there, bar none, and the reason is that they are the best out there. Why is that a problem, well when your programs are used by everyone,…