Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MS Outlook alert : Cuartango Active Setup

From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Mon, 8 Nov 1999 13:04:23 -0800

At 11:54 AM 11/8/99 -0800, Elias Levy wrote:

Juan Carlos Garcia Cuartango has found the following security vulnerability
in Microsoft Outlook. This is a highly dangerous issue. It allow a remote
attacker to email an Outlook user an executable which will be run when
the user views the attachment without asking them whether to save it or
execute it.



Quick fix: Disable Javascript in Outlook.


There's a wrinkle in this one that I think people need to be aware of -
Outlook uses the security zones that IE also uses.  By default, everything
runs in the 'Internet Zone', though you can get your mail to run in the
"Untrusted Zone".  Even if your mail is currently set to run in the
untrusted zone, any HTML attachments will run in the "Internet Zone".  I
have now been running my e-mail client at work using the untrusted zone
(and actually tweaked beyond that) for a couple of months, and have not
noticed any ill effects at all.  I also like to view HTML attachments as
pure text to see what is in there, but then I'm fairly paranoid and
recognize that end-users can't be expected to do that.

If you want to make sure you've got all the bases covered, then you need to
disable java script in both zones.  I also recommend investigating all
sorts of attachments carefully.

David LeBlanc
dleblanc () mindspring com
Previous By Date Next
Previous By Thread Next

Current thread: