lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6.0.0.22.2.20030904220248.022c86f8@localhost>
Date: Thu, 04 Sep 2003 22:09:39 -0700
From: Andreas Marx <amarx@...a-it.de>
To: BugTraq <BUGTRAQ@...URITYFOCUS.COM>
Subject: Re: Microsoft Security Bulletin MS03-035


Hello!

I just saw the couple of security updates Microsoft has released today. And 
comments like this (from MS03-035):

>  - By default, Outlook 2002 block programmatic access to the
>    Address Book. In addition, Outlook 98 and 2000 block
>    programmatic access to the Outlook Address Book if the Outlook
>    Email Security Update has been installed. Customers who use any
>    of these products would not be at risk of propagating an e-mail
>    borne attack that attempted to exploit this vulnerability.

They are so painly WRONG with such statements!!!

Almost every newly released e-mail virus/worm is able to bypass this 
Outlook "security" feature easily. Simply, because these viruses do not 
rely on the Outlook functions (using MAPI -- and only these MAPI functions 
are "protected") to get the e-mail addresses, but they are browsing the 
whole file (in binary mode) instead of this. And they are very successfull 
with this method, plus looking for (possible) e-mail adresses in other 
files (Browser Cache, other common mail applications), too. NO 
OUTLOOK/OFFICE FEATURE BLOCKS ATTACKS LIKE THIS!

Additionally, the process to send out virus/worm-infected mails is very 
easy, too. Almost every virus author tries to avoid using the partly 
"protected" MAPI functions to send out their nasty stuff, but instead of 
this, these malwares have an own SMTP engine for ages now. Again: NO 
OUTLOOK/OFFICE FEATURE BLOCKS ATTACKS LIKE THIS!

I cannot understand why Microsoft adds comments like this in their Security 
Bulletins. Almost all viruses by-passes these Outlook "protection" features 
for ages now - I'm not speaking about months, but about several YEARS. It 
looks like that MS hasn't realised this problem yet or they are simply 
ignoring it. <sigh>

Therefore, customers are at a HIGH RISK if they are using Internet Explorer 
for web browsing and have one of the affected Office versions installed on 
their PCs. We were able to get an old macro virus running automatically 
using the information eEye and others have released. WITHOUT any kind of 
warning the worm was able to infect our system and tried to send out lots 
of infected mails at the same time! You only need to open a file (click on 
the DOC attachment in OE/Outlook) or open a web page (Word will start 
automatically after one or two seconds).

[Of course, we have tested this in our high-security virus test labs only, 
without Internet access, so the virus was only able to spread internally.]

I would rank this vulnerabilty not only as important, but as being 
CRITICAL. I'm sure, we'll see new viruses/worms and authors of malicious 
websites (e.g. for expansive porn dialers) soon which would try to exploit 
this vulnerability (and the other ones mentioned) soon. It is as important 
to apply these patches as to apply the latest cummulative IE update. I 
hope, Microsoft will think about the facts again and raise the risk ratings 
and remove such a unhelpful "mitigating factors" asap.

I hope that some av companies will add detection for these kind of 
exploits, too, to generically block such modified files. (Most av vendors 
already tried to add detection for similiar exploits.)

cheers,
Andreas Marx
Head of the Anti-Virus Test Center at the University of Magdeburg, Germany
-- 
Andreas Marx <amarx@...a-it.de>, http://www.av-test.org
I'm in the US right now and not reachable by phone or fax.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ