GFI has recently discovered a security flaw within
Internet Explorer which allows a malicious user to run
arbitary code on a target machine as it attempts to view
a website or an HTML email.
The problem is exploited by embedding a VBA code within a
Access database file (.mdb) within an Outlook Express email
file or Multipart HTML (mht) file.


If the email file is accessed using Internet Explorer, the
attachment may be automatically executed without triggering
any security alerts. The exploit will work regardless of
the security level (in our labs, we also tested it with High
Security and Restricted Zone).

This may be exploited through email by using an iframe
tag or using Active Scripting to call the malicious file
through an HTML email, allowing Internet Explorer to
automatically access the exploit EML file.



----[Proof of concept Exploit:

A live example of the named exploit is available on:

http://www.gfi.com/emailsecuritytest


----[Solution:

Filtering HTML email for JavaScript and similarly scripting
capabilities as well as checking for IFRAME will prevent the
exploit to be run through email. This can be easily done
using GFI's Mail essentials & Mail Security for Exchange 2000.

GFI Security Labs also recommends filtering out mdb files.

You might also want to consider blocking access to EML,
MHTML and MHT files through HTTP and SMTP. It is also
important to apply the patch distributed by Microsoft.

----[Systems Affected:


Windows machines with :

* Microsoft Access

and

* Internet Explorer version 5 till version 6. Older versions may be
vulnerable as well.

* Outlook Express 2000,

* Outlook Express 98,

* Outlook 2000,

* Outlook 98

* possibly other HTML and/or
Javascript enabled email clients.