Re: Outlook HTML VBS (demo)

[dphull () MAIL UKANS EDU (Hull, Dave)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Your message with the alert() call in it did popup on my Outcrook. I
tried creating an html message using <Script language =
VBScript></VBScript> tags with code that would create a new registry
entry, but it failed everytime. This may be because my code wasn't
quite right, but I was borrowing heavily from ILY, so I think it was
fine.

However, a couple of weeks before ILY hit, we had an episode of KAK
here on campus and many of us installed the patch from MS which
prevents KAK from taking effect. Quoting from MS:

        This vulnerability makes it possible for malicious web sites, HTML
mails, or programs to use an ActiveX control to make changes to a
user's system   without his permission. The virus uses this
vulnerability to infect the computer and ensure that copies of itself
will be sent with future outgoing mails.
        A patch to eliminate this vulnerability has been available since
August 1999, and customers who have applied it cannot be affected by
the virus.

- From this, it does seem that it would be possible to exploit Outlook
accounts that don't have the Kak patch installed using ActiveX
controls. However, just because you can cause a popup window using
the javascript alert() call doesn't mean that a particular
installation of Outlook is vulnerable to more dangerous attacks.
Nevertheless, it's probably a good idea to have scripts turned off
anyway.

More info on MS patch may be found here:

http://www.microsoft.com/TechNet/security/virus/kakworm.asp

Dave Hull, Senior Information Technology Analyst
LAN Support Services, University of Kansas
gpg key-> http://insipid.cc.ukans.edu/dphull/pubkey.html

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOSp98xTf9Weyc+/pEQJLIQCeITgdFSq4b//r6nWZ0apW2xpt1xUAoNFM
4mJoGuU1pE7yhwMCkcmLagGR
=9deo
-----END PGP SIGNATURE-----