SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Microsoft Outlook Express Vendors:   Microsoft
Microsoft Outlook May Display Images in Plaintext Only Mode
SecurityTracker Alert ID:  1011890
SecurityTracker URL:  http://securitytracker.com/id/1011890
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 22 2004
Impact:   Modification of system information
Exploit Included:  Yes  

Description:   A vulnerability was reported in Microsoft Outlook. The e-mail client may display images even when configured to view messages in plain text.

http-equiv reported that a remote user can send a MIME-based e-mail message containing an image that has been Base64 encoded to a target Outlook Express user. When the target user views the received message, the image will be displayed even if the target user's mail client is configured for plain text only.

A demonstration exploit example is provided:

<img src="cid:malware">

------=_NextPart_000_0004_01C4B234.2209FD20
Content-Type: image/gif;
name="youlickit[1].gif"
Content-Transfer-Encoding: base64
Content-ID: <malware>

R0lGODlhogCiAOb/AP////8hAP8QAP8AAPdCAPcAAO97AO8IAOfeQufWUuetY+eUA
N7OEN7OAN7G

Outlook 2003 may also be affected.

Impact:   A remote user can send e-mail messages containing images that will be displayed by the target recipient's e-mail client even when configured to view messages in plain text.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Re: [Full-Disclosure] Outlook "cid:" handling - Request for Information




<!-- 

It has recently come to my attention that it is possible to 
circumvent functions inside of Microsoft Outlook 2003 and some 
other MUA's by using href tags containing "cid:". By default 
such MUAs no longer download web referenced images and objects, 
however images referencedby "cid:" strings are embedded (as 
attachments with special names) within the e-mail.

Contrary to the policy of not downloading images, it would seem 
that these are packaged with the mail (decentralised) AND are 
displayed despite non-image download policies.

 -->

The download restriction is in refernce to remote files. CID: 
is 'content id' it references the content of the appropriate 
boundry of the MIME mail message. Which in this case would be an 
image. The image is encoded and embedded within the mail message 
itself. Not on a remote server and does not /cannot download. It 
is a link inside the email to an encoding of the image which is 
then rendered. For example:

<img src="cid:malware">

------=_NextPart_000_0004_01C4B234.2209FD20
Content-Type: image/gif;
	name="youlickit[1].gif"
Content-Transfer-Encoding: base64
Content-ID: <malware>

R0lGODlhogCiAOb/AP////8hAP8QAP8AAPdCAPcAAO97AO8IAOfeQufWUuetY+eUA
N7OEN7OAN7G


Simply put it is connecting to the base64 encoded image within 
the email message by identifying it with the name malware. As 
http is to a webserver, so CID is to the content of the mail 
message.

It's not being downloaded from anywhere other than from within 
the mail message. However if what you are after is to not view 
images, the only way is to accept all email in plain text. But 
in Outlook Express [maybe Outlook 2003 haven't checked], an 
attached image file even in a plain text message, will be 
rendered.

It is a machine generated CID like this:

<CENTER><IMG SRC="CID:{F69034DE-F779-4AA2-B5A9-
7413133C2A29}/malware.JPG"></CENTER>

This harkens back to the day of the 'slide show' feature in 
Outlook Express. But again it is not retrieved remotely, rather 
from within the email message itself via the CID.

You may try some sort of filter in Outlook 2003 or definitely on 
the server to remedy whatever is concerning you.


-- 
http://www.malware.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC