Hello Bugtraq! I want to warn you about security vulnerabilities in email clients, particularly in Outlook Express and Outlook. This advisory is concerned with my series of advisories about vulnerabilities in browsers, which belong to group of DoS via protocol handlers. All those who doubt that these DoS vulnerabilities in browsers and email clients are security vulnerabilities, must read my first advisory on this topic (http://www.securityfocus.com/archive/1/511327/30/0/threaded). Where I mentioned about Mozilla's MFSA 2010-23 (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html), for which created CVE-2010-0181 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0181). If they consider img with mailto (via redirect) as vulnerability, then iframes with different protocols is indeed vulnerability (in browsers and email clients). ----------------------------- Advisory: DoS attacks on email clients via protocol handlers ----------------------------- URL: http://websecurity.com.ua/4255/ ----------------------------- Affected products: Internet Explorer 6 (6.0.2900.2180), Outlook Express 6 and Outlook 2002 SP-2. ----------------------------- Timeline: 26.05.2010 - found vulnerability in Internet Explorer 6 (which engine is used in Outlook Express and Outlook). 26.05.2010 - informed Microsoft about this and others vulnerabilities in IE. 29.05.2010 - found vulnerabilities in Outlook Express and Outlook. 02.06.2010 - disclosed at my site. ----------------------------- Details: Last month I wrote about multiple DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers via protocol handlers. And after Vladimir Dubrovin aka 3APA3A drew my attention that these attacks can be made via email (http://www.securityfocus.com/archive/1/511539/30/0/threaded), I decided to check how much email clients are vulnerable to these attacks. I.e. I checked possibility of attacks not via webmails (which directly concerns the mentioned vulnerabilities in browsers), but via desktop email clients. Which are possible due to the same vulnerabilities in browsers, because email clients often use browsers engines for showing of html-letters. I checked these vulnerabilities in Outlook Express and Outlook, similar attacks are potentially possible in other email clients (built-in email client in Opera 9.52 is not affected). So all who wishes can check these vulnerabilities in other clients, e.g. in Thunderbird and SeaMonkey. I found Denial of Service vulnerabilities in Microsoft Outlook Express and Outlook. Which are identical to vulnerabilities in Internet Explorer 6. Taking into account that these email clients are using IE engine for showing of html-letters, then these attacks are Cross-Application DoS (http://websecurity.com.ua/2600/). Attacks work in Outlook Express and Outlook only when option Internet zone (OE) / Internet (Outlook) for IE security zone is selected. Taking into account that by default Restricted sites zone is set, then all users which are using default settings are in safe. DoS: http://websecurity.com.ua/uploads/2010/IE,%20OE%20&%20Outlook%20DoS%20Exploit.html This exploit uses small amount of iframes with firefoxurl protocol and crashes IE6, OE and Outlook. In OE and Outlook does work attack via iframe with mailto, news, nntp and firefoxurl protocols (and also with other protocols, if handlers of corresponding protocols are set in the system), but doesn't work attack via iframe with gopher protocol. In OE these exploits trigger as at preview of the letters, as at their opening. And in Outlook exploit with iframe with mailto triggers only at opening of the letter, and exploits with iframe with news, nntp and firefoxurl trigger as at preview of the letters, as at their opening. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
