Results 1 to 4 of 4

Thread: OE/IE6/WMP Temporary File Exploit

  1. #1
    Senior Member
    Join Date
    Jan 2002

    OE/IE6/WMP Temporary File Exploit




    March 29, 2002


    In a post to NTBugtraq on March 28, a member of
    <> described a technique for crafting an e-
    mail that automatically executes code when opened on a machine with
    Outlook Express (OE) 6 and Internet Explorer (IE) 6. A hacker could
    use this technique to e-mail you a Trojan that installs
    automatically when you simply open the e-mail. There is no direct
    impact on WatchGuard products. We recommend administrators using OE
    and IE 6 in their network follow the workarounds below until a patch
    becomes available.


    The advisory describes how to automatically execute a
    program sent via e-mail to an Outlook Express 6 user. This
    complicated technique uses many of Microsoft's embedded
    applications. A susceptible system requires Internet Explorer (IE)
    6, Outlook Express (OE) 6 and Windows Media Player (WMP version 7.1,
    and possibly earlier versions). The author of the advisory assumes
    Outlook and Outlook 2002 are susceptible as well but has not tested
    these versions.

    This exploit is possible because of the way OE6 stores temporary
    attachments. When you open an e-mail that has attachments, OE6 saves
    them in a temporary directory. For security reasons, OE6 also
    changes the names of the attachments and gives them .TMP extensions.
    This name change is meant to prevent malicious e-mails from linking
    to temporary copies of the attachments. However, members of have found a technique, using common, garden-variety
    HTML commands, that extracts the real attachment from its temporary
    copy. By sending a specially crafted HTML e-mail, a hacker can
    extract the attachments from OE6's temporary file and then link to
    the attachments from the e-mail itself. The hacker could exploit
    this flaw to send you a Trojan that self-installs when you open the
    malicious e-mail. The advisory also mentions that a hacker could
    exploit this flaw through a malicious Web page or by posting a
    malicious newsgroup message.'s advisory includes two "proof-of-concept" examples of
    this exploit. One example requires active scripting, while the
    second can do without. Now that these proof-of-concepts examples are
    in the wild, hackers are sure to exploit this flaw.


    Microsoft does not yet have a patch for this flaw. Since the exploit
    code is available in the wild, it is important that you protect

    To lower the impact of this vulnerability, ensure OE6 is not
    allowing active scripting. OE6 denies active scripts by default;
    however, some users may have changed this setting in the course of
    daily activities. To confirm OE6 is denying active scripting, go to
    Tools => Options in OE6 and click the Security tab. Make sure OE6 is
    opening mail in the Restricted Sites Zone and click OK. This
    prevents the active script version of this exploit from working.
    (These same instructions apply to Outlook users as well.)

    The non-scripted version of this exploit is not prevented even by
    OE6's most secure settings. (Thankfully, we have found that certain
    requirements of this version of the exploit give it only a random
    chance of succeeding.) Until a patch is available, administrators
    might caution their users not to open e-mails containing attachments
    when delivered from an unknown sender. Outlook Express 6 users
    typically have the Preview Pane turned on, which means that clicking
    on an e-mail opens it. You might consider advising them to turn it
    off (View menu => Preview Pane). This gives them the opportunity to
    delete questionable e-mails without opening them.
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    AntiOnline Senior Member
    Join Date
    Oct 2001
    Good heads up! Thanx zigar!
    [shadow]uraloony, Founder of Loony Services[/shadow]
    Visit us at

  3. #3
    Hmmm Outlook.....

    BTW: Thanks for the infomation zigar

  4. #4
    The Iceman Cometh
    Join Date
    Aug 2001
    Thanks for the post. I recently moved from OE to full Outlook XP (I was using OE because it could check my Hotmail accounts which Outlook 2000 could not do). I never was too fond of OE... especially with their lack of filters and the ability to quarantine attachments.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts