[Esd-l] Outlook 2003 exploit using active scripting.
John D. Hardin
jhardin at impsec.org
Fri May 21 05:56:25 PDT 2004
On Thu, 20 May 2004, John D. Hardin wrote:
> On Thu, 20 May 2004, Smart,Dan wrote:
>
> > I'm not mangling html files, but I have NOT set
> > SECURITY_TRUST_HTML. So I take it this takes care of this
> > vulnerability?
>
> Again, not having seen a sample I can't say for sure, but I *think*
> the active HTML defanging will stop this exploit.
I've been in touch with the guy who found this exploit, and it seems
the the description is a little misleading, at least if you are
approaching it from the POV of historical exploit methods.
The exploit is a carefully constructed Outlook Rich Text format
WINMAIL.DAT attachment.
Active HTML is apparently NOT the activation vector, it appears that
the act of parsing the TNEF attachment is what activates the attack. I
am verifying that this is indeed the vector.
Therefore, to defend against this attack, you need to set
$SECURITY_STRIP_MSTNEF and ask your correspondents to NOT use Outlook
Rich Text format for Internet email messages; this has also been
recommended for years by MS - see the URLs in the sanitizer (if they
haven't gone stale...).
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org FALaholic #11174 pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Bush? Kerry? I'm so sick of our elections always being "choose the
lesser of two evils."
-----------------------------------------------------------------------
165 days until the Presidential Election
More information about the esd-l
mailing list