RE: Ilfak's WMF patch v. Microsoft's solution

[Hank Nussbacher <hank () efes iucc ac il>]

On Mon, 2 Jan 2006, Richard M. Smith wrote:

See:
http://www.overcomeemailoverload.com/advice/DangerousEmail.html

-Hank

> I believe that it is possible that all versions of Outlook and Outlook
> Express will render an IFRAME in HTML email messages if the IFRAME uses the
> CID: protocol to reference an attached file.  IFRAMEs will work in this
> situation  regardless of security settings.  I know for example that Outlook
> 2003 never blocks images loaded with the CID: protocol in HTML email
> messages.
>
> If my theory is correct, then it should be possible to build a worm that
> auto-executes simply by reading an HTML email message.  The worm also would
> not require an external Web site to operate.
>
> I asked Microsoft about the IFRAME/CID: issue on Friday.  They haven't said
> yet if this is a problem or not.  I don't have any good way to test it
> myself.
>
> Richard
>
> -----Original Message-----
> From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
> Behalf Of Matthew Murphy
> Sent: Monday, January 02, 2006 12:04 AM
> To: funsec () linuxbox org
> Subject: Re: [funsec] Ilfak's WMF patch v. Microsoft's solution
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> Richard M. Smith wrote:
> > My gut says that the ill-advised ABORTPROC "feature" of .WMF files has
> > no legit uses and therefore should be killed ASAP.  OTOH, Microsoft's
> > current alternative of turning off the Windows picture/FAX viewer is much
> worse.
> > Microsoft fails to point out that turning off the viewer kills the
> > ability to view digital photos which is a big deal for many Windows users.
>
> Aside from the fact that it kills some functionality that many users use,
> Microsoft's workaround is not very effective.
>
> Disabling Picture and Fax viewer *WILL* protect a default Windows XP PC with
> IE installed from being exploited.  However, if the user uses a different
> image viewer that will render WMFs as the default viewer for those (or other
> similar) types of files, they will get owned.
>
> > I'm really concerned that we will see the mother-of-email-worms in the
> > next week or two before Microsoft releases a patch on Windows update.
> > I suspect Microsoft's patch will look a lot like Ilfak's which will
> > simply kill ABORTPROC.
>
> I don't see the ability to exploit WMFs being a major boost to an e-mail
> worm.  For one, WMFs won't be rendered inline (i.e., automatically).
> Unless a user is still running an e-mail client that allows IFRAMEs to be
> rendered when reading mail, they won't be affected unless they manually open
> the attachment.
>
> Other vulnerabilities could have been much worse as far as e-mail worms are
> concerned.  We might see a worm, but I highly doubt it would be the
> mother-of-all e-mail worms.  That's a little excessive on the hype, IMHO.
>
> - --
> "Social Darwinism: Try to make something idiot-proof, nature will provide
> you with a better idiot."
>
>                                 -- Michael Holstein
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFDuLQtfp4vUrVETTgRA9frAJ9cGGnXjrWhKYflY86Bwk3PxZ+LlACfbsKA
> mNEs79zCMw3+gRSnfG9FOBk=
> =FkxG
> -----END PGP SIGNATURE-----
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
>  +++++++++++++++++++++++++++++++++++++++++++
>  This Mail Was Scanned By Mail-seCure System
>  at the Tel-Aviv University CC.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.