Wednesday, September 12, 2001 [A] Possibly the strangest "innovation" out of the manufacturer of Outlook Express to date. The ability to execute Active Scripting in a plain text mail message: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Source: 11.09.01 http://www.malware.com <script>alert("freak");alert("show")</script> The above is a legitimate RFC822 mail message in plain text. Ordinarily one would require an html mail message [Content-Type: text/html;] to parse html and scripting. The above functions under a plain text mail message in Outlook Express 6.00. It appears to be a very small 'sweet spot' about the maximum length of the above characters from each opening angle bracket to closing angle bracket. Additional tests suggest a few more characters can be 'squeezed' in as well as a second line below it with about half the amount of characters. Any additional characters then parses the entire message in plain text (as it should). Additionally, it appears from these testings that only the <script> tags function like this; other tags <IFRAME>, <OBJECT> etc. parse correctly as plain text. Carefully Note: active scripting is off by default in OE6.00. The above may be of interest to SA's who might block active content and html tags at their gateways using only the Content-Type: text/html; MIME header. Working Example [nothing but 'plain text']: http://www.malware.com/malware.zip Tested on: Windows 98 and RTM Build of Windows XP with the release version of Outlook Express 6.00 [B] We also note with interest that a now 10 month old vulnerability; referred to as html.dropper [see: http://www.securityfocus.com/bid/2260] has been carried over to Outlook Express 6.00, this allows the sender of a manufactured mail message to dictate whichever icon they desire for an attachment: screen shot: (screen shot: http://www.malware.com/madness.jpg 20KB) The following fully functional working example is most definitely self-explanatory and includes a harmless *.exe http://www.malware.com/bang.zip Tested on: Windows 98 and RTM Build of Windows XP with the release version of Outlook Express 6.00 According to reliable third-party sources, the manufacturer is fully aware of this and has been updated as recent as 10 days ago. It is understood (and appreciated) that they are inundated with an almost daily flood of much more severe discoveries and 'bugs' to their ever increasing avalanche of new products, and must prioritise the 'danger' levels, but will hopefully get to this. Certainly before they try to peddle the release versions of XP we would hope [expect], since this new news and mail client is included with it. end call --- http://www.malware.com _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/
