Outlook Allows Program Execution
Reported November 8, 1999 by
Juan Carlos Garcia Cuartango
VERSIONS EFFECTED
  • Outlook 98 and 2000
  • Outlook Express 4.x and 5.x

DESCRIPTION

The vulnerability allows the execution any program immediately after opening any mail attachment such as MID,WAV,GIF,MOV,TXT, XYZ, etc.

The risk comes from the fact that Outlook programs will recreate attached files in the system"s temporary directory (usually C:\TEMP in Windows NT or C:\WINDOWS\TEMP in Windows 95-98) using the original name of the attached file.

If the detached file is in fact a cabinet file containing an installable software package, any action could be taken on the victims machine using the MS ActiveX component for software installation (Active Setup component.)

There is a higher risk when the exploit uses files such as .MID (MIDI files.) This is because a simple double-click on that type of file will immediately open the Multimedia player without prompting the user.

Juan thinks this is an important issue -- the method he describes here could be used as a way to widely deploy a virus because few people suspect an innocent multimedia attachment as being malicious. Outlook programs tend to trust Multimedia attachments implicitly.

DEFENSE

Change the temporary directories location defined in the environment variables %TEMP% and %TMP%. Change these variables to point to an unpredictable (obscured) path name.

Another workaround would be the more traditional course to disable active scripting.

To guard against the risks presented in this bulletin, be sure to adjust control of ActiveX Scripting, ActiveX Controls, and Plugins in your Outlook mail client.

For Outlook 98, choose Tools, Options, and then Security from the pull down menus. On the security tab, adjust the Secure Content Zone to Restricted Sites. This causes Outlook to employ the Restricted Sites security profile to all email content received with the mail client.

Also, ensure that the Restricted Sites zone settings are adequate for your needs. To do so, on the same Outlook Security dialog, click the Zone Settings button, which opens a new dialog. On the new dialog, choose the Restricted Sites zone, and click the Custom Level button, which opens the Security Settings dialog window. On the dialog window, scroll through the list and adjust all ActiveX properties to either "Disable" or "Prompt." Keep in mind that if you set these controls to "Prompt," you may experience a large number of prompts on the screen while surfing the Internet. If the prompts become a bother, simply readjust the ActiveX properties to "Disable."

PLEASE NOTE: As David LeBlanc points out, performing these actions does not prevent JavaScript from executing in the Outlook mail client, although it does prevent the other cited active content from executing. To prevent JavaScript from executing in the mail client, you must adjust the Internet Zone to disable JavaScript. Remember that adjustments to the security zones in Outlook also effect the operation of Internet Explorer, and vice versa, since those two application share security zone settings.

VENDOR RESPONSE

MS was informed of this issue on 12 October 1999. According to Juan, they are supposed to release a fix immediately. However, there has been no response as of November 8, 1999.

CREDITS
Reported by Juan Carlos Garcia Cuartango

Posted here at NTSecurity.NET on November 8, 1999