GFI Security Labs Advisory http://www.gfi.com/ ----[Title: [ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically ----[Published: 12.FEB.2002 ----[Vendor Status: Microsoft has been informed and we have worked with them to release a patch. ----[Systems Affected: Windows machines with : * Microsoft Access and * Internet Explorer version 5 till version 6. Older versions may be vulnerable as well. * Outlook Express 2000, * Outlook Express 98, * Outlook 2000, * Outlook 98 * possibly other HTML and/or Javascript enabled email clients. ----[The problem: GFI, developer of email content checking & network security software, has recently discovered a security flaw within Internet Explorer which allows a malicious user to run arbitary code on a target machine as it attempts to view a website or an HTML email. The problem is exploited by embedding a VBA code within a Access database file (.mdb) within an Outlook Express email file or Multipart HTML (mht) file. If the email file is accessed using Internet Explorer, the attachment may be automatically executed without triggering any security alerts. The exploit will work regardless of the security level (in our labs, we also tested it with High Security and Restricted Zone). This may be exploited through email by using an iframe tag or using Active Scripting to call the malicious file through an HTML email, allowing Internet Explorer to automatically access the exploit EML file. ----[Proof of concept Exploit: A live example of the named exploit is available on: http://www.gfi.com/emailsecuritytest ----[Solution: Filtering HTML email for JavaScript and similarly scripting capabilities as well as checking for IFRAME will prevent the exploit to be run through email. This can be easily done using GFI's Mail essentials & Mail Security for Exchange 2000. GFI Security Labs also recommends filtering out mdb files. You might also want to consider blocking access to EML, MHTML and MHT files through HTTP and SMTP. It is also important to apply the patch distributed by Microsoft. ----[Reference: http://www.gfi.com/emailsecuritytest ----[Contact Information: Sandro Gauci GFI Security Labs sandroat_private http://www.gfi.com GFI - Security & communications products for Windows NT/2000 http://www.gfi.com ********************************************************** This mail was content checked for malicious code or viruses by Mail essentials. Mail essentials for Exchange/SMTP is an email security, content checking & anti-virus gateway that removes all types of email-borne threats before they can affect your email users. Spam, viruses, dangerous attachments & offensive content can be removed before they reach your mail server. In addition it has server-based email encryption, disclaimers and other email features. *********************************************************** In addition to Mail essentials, GFI also produces the FAXmaker fax server product range & LANguard internet access control & intrusion detection. For more information on our products please visit http://www.gfi.com
This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 11:39:06 PST