[Esd-l] Outlook 2003 exploit using active scripting.

Joe Steele joe at madewell.com
Wed May 19 16:50:27 PDT 2004

On Wednesday, May 19, 2004 11:18 AM, Smart,Dan wrote:
> John:
> Do you have a suggestion on how to handle this new Outlook 2003
> vulnerability?  See:
> http://secunia.com/advisories/11629/

I had wondered about this myself when it appeared on bugtraq a couple 
days ago:


I haven't studied the sample message (I didn't want to open it in 
Outlook, and I'm not sure how to open it otherwise), but I suspect 
that it sends itself as an "application/ms-tnef" MIME type (based on 
a little experimenting with embedding objects in a RTF Outlook 
message).  If this is indeed true, then defining 
"SECURITY_STRIP_MSTNEF" should be sufficient protection.  Would 
anyone care to confirm that this is how the sample message sends 


More information about the esd-l mailing list