lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 4 Jun 2004 08:09:39 -0700
From: "Spencer, Mark" <mspencer@...dentdata.com>
To: <1@...ware.com>, <bugtraq@...urityfocus.com>
Cc: <NTBugtraq@...tserv.ntbugtraq.com>
Subject: RE: PING: Outlook 2003 Spam


Hello,

A coworker and I spent much of the day yesterday trying to replicate
this behavior and we were not able to do so.  The only time we can get
Outlook 2003 to pull anything from our server with this code is when we
send the email within our own MS Exchange.  We've tried multiple
clients, multiple SMTP servers, and many variations of the code below
and have not been successful, other than emails sent between Exchange
users.

I have not seen any other comments on this issue.  Is it possible
Microsoft has already patched Outlook 2003 to only allow this behavior
when dealing with a trusted zone?

Mark

-----Original Message-----
From: http-equiv@...ite.com [mailto:1@...ware.com] 
Sent: Tuesday, May 11, 2004 8:42 AM
To: bugtraq@...urityfocus.com
Cc: NTBugtraq@...tserv.ntbugtraq.com
Subject: PING: Outlook 2003 Spam



Tuesday, May 11, 2004

Outlook 2003 the premier mail client from the company called 'Microsoft'
certainly appears to have a lot of security features built into it.
Cursory examination shows excellent thought into 'spam' containment,
'security' consideration and many other little 'things'. So much so the
default rendering of html is in so-called 'restricted zone' which
disallows nearly everything [frames, iframes, objects, scripting etc.].
In addition 'special' spam measures are taken to disallow graphic
downloads from a remote server in html email which can be used to verify
recipients:

[screen shot: http://www.malware.com/duhlook.png 40KB]        

The Key Word is: nearly 

Utilising Outlook's own bizarre scheMAH ! which comprises a 'proper'
frame along with an src pointing to our remote server, we are able to
ping the server and confirm our recipient has viewed our email. We don't
require graphics or frames or iframes to do that:

<v:vml frame style="LEFT: 50px; WIDTH: 300px; POSITION: 
relative; TOP: 30px; HEIGHT: 200px" 
src = "http://www.malware.com/duh.txt#malware"></v:vmlframe>

<HTML>
<HEAD>
<STYLE>
v\:* { behavior: url(#default#VML); }
</STYLE>
<XML:NAMESPACE NS="urn:schemas-microsoft-com:vml" PREFIX="v"/> </HEAD>


Notes:

1. We now commence our examination of the Microsoft Office 2003 suite,
we're a bit late, but it has taken all this time to save up to buy the
thing 2. Quick 72 hour prodding reveals that this 'perceived' premier
device known as Outlook 2003 is in fact riddled with holes 3. Do not
receive or open any emails period.  Use string and tin cans if you must
communicate



End Call


--
http://www.malware.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ