[Esd-l] Outlook 2003 exploit using active scripting.

John D. Hardin jhardin at impsec.org
Fri May 21 05:56:25 PDT 2004

On Thu, 20 May 2004, John D. Hardin wrote:

> On Thu, 20 May 2004, Smart,Dan wrote:
> >  I'm not mangling html files, but I have NOT set
> > SECURITY_TRUST_HTML.  So I take it this takes care of this
> > vulnerability?
> Again, not having seen a sample I can't say for sure, but I *think*
> the active HTML defanging will stop this exploit.

I've been in touch with the guy who found this exploit, and it seems
the the description is a little misleading, at least if you are
approaching it from the POV of historical exploit methods.

The exploit is a carefully constructed Outlook Rich Text format
WINMAIL.DAT attachment.

Active HTML is apparently NOT the activation vector, it appears that
the act of parsing the TNEF attachment is what activates the attack. I
am verifying that this is indeed the vector.

Therefore, to defend against this attack, you need to set
$SECURITY_STRIP_MSTNEF and ask your correspondents to NOT use Outlook
Rich Text format for Internet email messages; this has also been
recommended for years by MS - see the URLs in the sanitizer (if they
haven't gone stale...).

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  Bush? Kerry? I'm so sick of our elections always being "choose the
  lesser of two evils."
   165 days until the Presidential Election

More information about the esd-l mailing list