Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Client)  >   Microsoft Outlook Vendors:   Microsoft
Microsoft Outlook 2003 Scripting Restrictions Can Be Bypassed By Remote Users
SecurityTracker Alert ID:  1010189
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 18 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2003
Description:   A vulnerability was reported in Microsoft Outlook 2003. A remote user can send a specially crafted e-mail that when viewed or previewed by the target user, will execute arbitrary code on the target user's system.

http-equiv reported that a remote user can embed a specially crafted Windows Media Player object within a rich text message and then have the source URL point to the embedded media file. When the target user views the message, scripting code within the media file will reportedly be executed, regardless of the target user's Outlook security settings or Windows Media Player settings.

A demonstration exploit mail message is provided at:

Impact:   A remote user can send e-mail that, when viewed or previewed, will execute arbitrary code on the target user's system with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  ROCKET SCIENCE: Outllook 2003

Monday, May 17, 2004

Technical final step to 'silent delivery and installation of an 
executable on the target computer, no client input other than 
reading an email' this can be achieved with the highly 
touted 'secure-by-default'  Outlook 2003 mail client from the 
craftsman known as 'Microsoft'.

Default settings of the 'gadget' are: restricted zone which 
means no active x controls, no scripting, no file downloads etc.

This can all very easily be bypassed by simply embedding in a 
rich text message our OLE object, one Windows Media Player. We 
then point our source url to our media file which includes or 
now run-of -the mill 0s url flip and simply by previewing or 
opening the email message invoke our device known as Internet 
Explorer to proxy our manipulation of the recipient's machine.

In typical fashion despite the settings in the Windows Media 
Player being set to 'disallow' scripting in media files, despite 
Outlook 2003's 'highly' secure default setting of view html 
content in the so-called 'restricted zone'; it all still works !

[screen shot: 46KB]

This now all automates our process and coupling it with our 
previous first step finding:


all we need to do next is our second step and embed the entire 
package including the media file into the mail message and send 
it along its merry way.

The whole Outlook 2003 'gadget' is broken.

Working Example:

Simply view the mail message:


1. Miserable selection of full screen = true can allow us to run 
our 'video' in WMP full screen mode. How about that: forget 
about html spam messages, now we have full screen video 
advertisements on opening the mail message.
2. Tested on XP, 2K3 POP mail client settings Outlook 2003, 
Exchange Server settings unknown at this time
3. Subject to initial WMP settings a notification of connection 
settings can pop up, however generally dismissed at first 
running of WMP along with neither yes or no selection having an 
effect [as usual].
4. Firewalls should flag Outlook itself trying to escape out on 
port 80. Nevertheless if all embedded no need for remote hosting.
5. Disable HTML settings or get another mail client [better of 
the two as below]
6. Lots more where this came from

End Call



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC