How Outlook 2002 can still execute JavaScript in an HTML email message

["Richard M. Smith" <rms () computerbytesman com>]

Hello,

Windows Media Player (WMP) reintroduces the ability to automatically
execute JavaScript code from an HTML email message in Outlook 2002.
JavaScript is disabled by default in Outlook 2002, because it can
facilitate the creation of worms and other malicious code which is
carried by HTML email messages.  Using a number of simple tricks, WMP
can be used to bypass the Outlook security settings and still
automatically execute JavaScript, Java, and ActiveX code in an HTML
email message.

Here is an outline of the steps needed to exploit this problem:

1.  An IFRAME tag is inserted into an HTML email message that
    references a Windows Media Skin (.WMS) file.  The .WMS
    can be loaded either from a Web site or from an attached
    file to the email message using the CID: protocol.  (Note: 
    I have only tested downloading a .WMS file from a Web site.)

2.  Because .WMS files are considered safe by Windows, WMP will
    automatically be started by Outlook and it will be passed
    the .WMS file.

3.  The .WMS file contains a short bit of JavaScript code
    in an onload handler which runs a Web page using the 
    player.LauchURL() method.  This onload handler is 
    automatically executed when WMP opens the .WMS file.  
    
4.  The Web page from step 3 can be loaded from a Web site, or 
    the source code of the Web page can be embedded in the .WMS file
    using the "about:" or "javascript:" protocol.  

Notes

1.  Other WMP file types besides a Windows Media skin file 
    can be used in step 1.  These file types include .WMZ,
    .WMD, and .WMA files.

2.  This problem is more of an example of poor security policies
    in Outlook and WMP and is not really a security hole
    in the classic sense.  

3.  Outlook Express and earlier versions of Outlook likely
    have the same security problem even with all security 
    protections set to the maximum.

4.  Hotmail however does not seem to have this security
    problem because it discards IFRAME tags.  Other Web-based
    email systems however would have the same security problem
    as Outlook if they do not do filtering of IFRAMEs.

Recommendations

1.  Outlook 2002 should not execute files downloaded by 
    an HTML IFRAME tag.  All file types except for HTML, text, 
    and image files should be discarded by Outlook 2002
    if used in an IFRAME.

2.  All WMP file types (.ASX, .WMS, .WMZ, .WMD, .WMA, etc.)
    should not be marked safe for opening since many of them
    can contain script code.  

3.  The "about:" and "javascript:" protocols should be disabled
    in the player.LauchURL() method.

Workarounds

The only work-around that I am aware of is to manually mark each Windows
Media file type as not safe-for-opening.  This process is going to be
prone to errors since there are about 10 file types that need to fixed. 

Richard M. Smith
http:/www.ComputerBytesMan.com