funsec mailing list archives

RE: Ilfak's WMF patch v. Microsoft's solution

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 2 Jan 2006 07:43:42 -0500

The article is interesting, but dated.  It doesn't talk about the latest
versions of Outlook and Outlook Express and how they handle IFRAMEs and the
CID: protocols.  Part of the problem we are dealing with here is poor
documentation from Microsoft.

Richard 

-----Original Message-----
From: Hank Nussbacher [mailto:hank () efes iucc ac il] 
Sent: Monday, January 02, 2006 7:39 AM
To: Richard M. Smith
Cc: funsec () linuxbox org
Subject: RE: [funsec] Ilfak's WMF patch v. Microsoft's solution

On Mon, 2 Jan 2006, Richard M. Smith wrote:

See:
http://www.overcomeemailoverload.com/advice/DangerousEmail.html

-Hank

I believe that it is possible that all versions of Outlook and Outlook 
Express will render an IFRAME in HTML email messages if the IFRAME 
uses the
CID: protocol to reference an attached file.  IFRAMEs will work in 
this situation  regardless of security settings.  I know for example 
that Outlook
2003 never blocks images loaded with the CID: protocol in HTML email 
messages.

If my theory is correct, then it should be possible to build a worm 
that auto-executes simply by reading an HTML email message.  The worm 
also would not require an external Web site to operate.

I asked Microsoft about the IFRAME/CID: issue on Friday.  They haven't 
said yet if this is a problem or not.  I don't have any good way to 
test it myself.

Richard

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] 
On Behalf Of Matthew Murphy
Sent: Monday, January 02, 2006 12:04 AM
To: funsec () linuxbox org
Subject: Re: [funsec] Ilfak's WMF patch v. Microsoft's solution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Richard M. Smith wrote:

My gut says that the ill-advised ABORTPROC "feature" of .WMF files 
has no legit uses and therefore should be killed ASAP.  OTOH, 
Microsoft's current alternative of turning off the Windows 
picture/FAX viewer is much

worse.

Microsoft fails to point out that turning off the viewer kills the 
ability to view digital photos which is a big deal for many Windows

users.


Aside from the fact that it kills some functionality that many users 
use, Microsoft's workaround is not very effective.

Disabling Picture and Fax viewer *WILL* protect a default Windows XP 
PC with IE installed from being exploited.  However, if the user uses 
a different image viewer that will render WMFs as the default viewer 
for those (or other
similar) types of files, they will get owned.

I'm really concerned that we will see the mother-of-email-worms in 
the next week or two before Microsoft releases a patch on Windows

update.

I suspect Microsoft's patch will look a lot like Ilfak's which will 
simply kill ABORTPROC.


I don't see the ability to exploit WMFs being a major boost to an 
e-mail worm.  For one, WMFs won't be rendered inline (i.e.,

automatically).

Unless a user is still running an e-mail client that allows IFRAMEs to 
be rendered when reading mail, they won't be affected unless they 
manually open the attachment.

Other vulnerabilities could have been much worse as far as e-mail 
worms are concerned.  We might see a worm, but I highly doubt it would 
be the mother-of-all e-mail worms.  That's a little excessive on the hype,

IMHO.


- --
"Social Darwinism: Try to make something idiot-proof, nature will 
provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDuLQtfp4vUrVETTgRA9frAJ9cGGnXjrWhKYflY86Bwk3PxZ+LlACfbsKA
mNEs79zCMw3+gRSnfG9FOBk=
=FkxG
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

 +++++++++++++++++++++++++++++++++++++++++++
 This Mail Was Scanned By Mail-seCure System  at the Tel-Aviv 
University CC.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Ilfak's WMF patch, (continued)
- - - Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
    - RE: Re[2]: Ilfak's WMF patch Larry Seltzer (Jan 02)
    - Re[4]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
    - RE: Re[4]: Ilfak's WMF patch Richard M. Smith (Jan 02)
    - Re[6]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
    - Re: Re[4]: Ilfak's WMF patch Valdis . Kletnieks (Jan 02)
    - Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 01)
    - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 01)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Hank Nussbacher (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Alex Shipp (elist) (Jan 03)
    - RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Aviram Jenik (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
    - potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Gadi Evron (Jan 03)

(Thread continues...)