INFORMATION ALERT


AN EMERGING ISSUE WITH:
MICROSOFT OUTLOOK EXPRESS AND INTERNET EXPLORER 6


SEVERITY:
Medium

DATE:
March 29, 2002


SUMMARY:

In a post to NTBugtraq on March 28, a member of Malware.com
<http://www.malware.com> described a technique for crafting an e-
mail that automatically executes code when opened on a machine with
Outlook Express (OE) 6 and Internet Explorer (IE) 6. A hacker could
use this technique to e-mail you a Trojan that installs
automatically when you simply open the e-mail. There is no direct
impact on WatchGuard products. We recommend administrators using OE
and IE 6 in their network follow the workarounds below until a patch
becomes available.


EXPOSURE:

The Malware.com advisory describes how to automatically execute a
program sent via e-mail to an Outlook Express 6 user. This
complicated technique uses many of Microsoft's embedded
applications. A susceptible system requires Internet Explorer (IE)
6, Outlook Express (OE) 6 and Windows Media Player (WMP version 7.1,
and possibly earlier versions). The author of the advisory assumes
Outlook and Outlook 2002 are susceptible as well but has not tested
these versions.

This exploit is possible because of the way OE6 stores temporary
attachments. When you open an e-mail that has attachments, OE6 saves
them in a temporary directory. For security reasons, OE6 also
changes the names of the attachments and gives them .TMP extensions.
This name change is meant to prevent malicious e-mails from linking
to temporary copies of the attachments. However, members of
Malware.com have found a technique, using common, garden-variety
HTML commands, that extracts the real attachment from its temporary
copy. By sending a specially crafted HTML e-mail, a hacker can
extract the attachments from OE6's temporary file and then link to
the attachments from the e-mail itself. The hacker could exploit
this flaw to send you a Trojan that self-installs when you open the
malicious e-mail. The advisory also mentions that a hacker could
exploit this flaw through a malicious Web page or by posting a
malicious newsgroup message.

Malware.com's advisory includes two "proof-of-concept" examples of
this exploit. One example requires active scripting, while the
second can do without. Now that these proof-of-concepts examples are
in the wild, hackers are sure to exploit this flaw.


SOLUTION PATH:

Microsoft does not yet have a patch for this flaw. Since the exploit
code is available in the wild, it is important that you protect
yourself.

To lower the impact of this vulnerability, ensure OE6 is not
allowing active scripting. OE6 denies active scripts by default;
however, some users may have changed this setting in the course of
daily activities. To confirm OE6 is denying active scripting, go to
Tools => Options in OE6 and click the Security tab. Make sure OE6 is
opening mail in the Restricted Sites Zone and click OK. This
prevents the active script version of this exploit from working.
(These same instructions apply to Outlook users as well.)

The non-scripted version of this exploit is not prevented even by
OE6's most secure settings. (Thankfully, we have found that certain
requirements of this version of the exploit give it only a random
chance of succeeding.) Until a patch is available, administrators
might caution their users not to open e-mails containing attachments
when delivered from an unknown sender. Outlook Express 6 users
typically have the Preview Pane turned on, which means that clicking
on an e-mail opens it. You might consider advising them to turn it
off (View menu => Preview Pane). This gives them the opportunity to
delete questionable e-mails without opening them.