[Esa-l] Microsoft Security Bulletin MS01-020

John D. Hardin jhardin at wolfenet.com
Sat Mar 31 11:18:52 PST 2001

On Fri, 30 Mar 2001, Microsoft Product Security wrote:

> However, a flaw exists in the type of processing that is specified
> for certain unusual MIME types. If an attacker created an HTML
> e-mail containing an executable attachment, then modified the MIME
> header information to specify that the attachment was one of the
> unusual MIME types that IE handles incorrectly, IE would launch
> the attachment automatically when it rendered the e-mail.

I've taken a look at the sample exploit, and basically it consists of
giving an attachment with a *.VBS filename a MIME type of
AUDIO/MS-whatever (and other similar combinations). Apparently IE5
uses the attachment name to figure out how to handle the attachment
(which is understandable on Microsoft OSes from a historical
perspective) and uses the MIME type only for icons or something else.

The sanitizer will trap these attacks successfully as it keys off the
attachment names and not the MIME type.

I do not at this time recommend poisoning *.EML attachments.

 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  Failure to plan ahead on someone else's part does not constitute an
  emergency on my part.
                                  - David W. Barts in a.s.r
                                    <davidb at ce.washington.edu>
   Tomorrow: Daylight Savings Time begins

More information about the esd-l mailing list