SAN MATEO (07/31/2000) - The headline of this article includes a quote from the SANS Institute, regarding yet another Internet Explorer (IE) vulnerability discovered by Georgi Guninski. (See www.nat.bg/~joro/access-desc.html for Georgi's original advisory and www.sans.org/newlook/resources/win_flaw.htm for the quote.)As we write this, however, someone seems to be giving SANS a run for its money with a July 18 post to BugTraq (www.security focus.com/bugtraq/archive) regarding an even more serious vulnerability in Microsoft Corp.'s Outlook and Outlook Express.
The problem was a classic buffer overflow issue caused by stuffing a section of the date field into the header of an e-mail with an unexpectedly large amount of data. When such a message is downloaded via POP3 or IMAP4, the incetcomm.dll file responsible for parsing the Greenwich Mean Time token does not perform proper bounds checking, causing Outlook/Outlook Express to crash and making possible arbitrary code execution. As anyone will tell you, once arbitrary commands have executed, the game is over. A "mailicious" message with a date-bomb could silently install Trojans, spread worms, compromise the target system, launch an attachment -- practically anything.
Outlook Express users merely have to open a folder containing a malicious e-mail to become vulnerable, and typically the act of simply downloading such a message while checking mail will cause the crash/overflow. Outlook Express users are then kind of stuck -- the message never successfully downloads and the exploit will crash the program on every subsequent attempt to retrieve mail. One work-around is to use a non-Outlook mail client to retrieve the mail and delete it. Netscape Messenger does a handy job of this, displaying the date field in the preview pane to indicate which are the offending messages. Outlook users are vulnerable if they preview, read, reply, or forward an offending message.
Underground Security Systems Research (USSR, at www.ussrback.com) has claimed credit for discovering this flaw, but said it waited until Microsoft had prepared a patch before going public. USSR subsequently posted its own exploit, which opened up a connection to its Web site. It's only a matter of time before all hell breaks loose over this one.
To fix this problem, see
www.microsoft.com/technet/security/bulletin/MS00-043.aspf. The vulnerability
can be eliminated by a default installation of either IE 5.01 Service Pack 1 or
IE 5.5 (except on Windows 2000). Microsoft has promised specific patches for this vulnerability are forthcoming.
Actually, we think everyone has missed the boat. The access vulnerability touted by SANS is Georgi's 13th advisory of this year. Concerned citizens may want to look back at his ninth announcement at www.nat.bg/~joro/eml-desc.html.
This one has it all: surreptitious download of a file without user intervention and subsequent execution of this file from within the same e-mail message. Many have whispered about the ability to "force-feed" e-mail attachments like this (see our July 17 column, "Massive proliferation of client-side attacks shifts focus from Net server security," for details). But by leveraging other exploits he has developed, Georgi delivers the total package.
The trick is the use of an inline frame tag within the body of an e-mail message that references an attachment carried by the same message. For some peculiar reason that perhaps only Georgi knows, when the tag "touches" the attached file, it is flushed to disk. It is then child's play to call the file from a script embedded in the body of the very same message. The file Georgi writes is a .CHM file, which he has graciously configured, using an embedded "shortcut" command, to call Wordpad.
In our testing of this attack against Windows 9x/2000, Windows NT, Microsoft Outlook, and Outlook Express, this exploit was triggered flawlessly, most often when simply previewed. The only defense against this one is conscientious use of ActiveX, which few have mastered. As far as we know, Microsoft has not acknowledged this.
We suspect many people are running around like chickens with their heads cut off about the most dangerous errors Microsoft has ever made, but cooler heads will realize that Microsoft just happens to be the biggest target because of the popularity of its software. The rest of the vendors in the industry should thank their lucky stars in the short term that no one is paying such close attention to the skeletons in their own code. At some point, all of this scrutiny is going to pay off for the Big M, however; all of this world-class code review is priceless -- and they're getting it all for free. In a few years, we'll see who's left standing. As for us, we're going with the guy who's been under fire the most and lived to tell about it.
Those of you who still feel safe using e-mail, send comments to firstname.lastname@example.org.
Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone (www.foundstone.com).