RE: Notepad popups in Internet Explorer and Outlook

From: Thor Larholm (thorat_private)
Date: Tue Aug 05 2003 - 15:34:06 PDT

Next message: EnGarde Secure Linux: "[Full-Disclosure] [ESA-20030806-020] 'stunnel' signal handler race denial-of-service."

Previous message: Spoilt JeSuS: "Halflife exploit that provides a shell in fbsd"
Maybe in reply to: Richard M. Smith: "Notepad popups in Internet Explorer and Outlook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The problem at hand is not one of Notepad or the view-source protocol,
but of the behavior inherant to Internet Explorer on how to handle
certain mimetypes and protocols. Your advisory (good as it is)
highlights an example of the problem, but disregards the larger picture.

Whether or not a specific mimetype or protocol will be automatically
opened by the MSHTML renderer is controlled by the EditFlag registry
key. Changing bit 0 of byte 2 controls whether the Open/Save dialog box
appears or if the content is automatically opened.

You could e.g. use this to disable the automatic opening of MIDI files,
which would be a very quick way for most domain administrators to
efficiently disable the MIDI exploit from last week.

You can read more about EditFlag at
http://www.cpcug.org/user/clemenzi/technical/WinExplorer/WinExplorerEdit
Flags.htm or http://perso.wanadoo.fr/tmcd2/Types.htm

As such, this problem is not limited to plaintext messages, but extends
to other types of data and other protocols.

It's funny that you have looked into this now, I am currently writing up
some stuff about inline embedding and automatic execution of media data
and exe files in emails (MHTML/EML) which covers the broader picture. I
guess the cat is out of the bag now, might as well release that soon ;)


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher



-----Original Message-----
From: Richard M. Smith [mailto:rmsat_private] 
Sent: Monday, August 04, 2003 11:58 AM
To: BUGTRAQ@SECURITYFOCUS. COM
Subject: Notepad popups in Internet Explorer and Outlook


Hi,

Do Notepad popups represent a security risk or are they simply another
way for spammers and marketers to annoy us? Because of a design flaw in
Internet Explorer, Notepad popup windows can be displayed from an HTML
email message or Web page regardless of browser security settings. In
addition, Notepad popups can access files on a hard disk, possibilly
causing stability problems in a Windows saystem. 

For more details, see: 

  http://www.computerbytesman.com/security/notepadpopups.htm

Question:  What kind of operating system allows an email message to
automatically start up a text editor to change a system file?

Richard M. Smith
http://www.ComputerBytesMan.com

Next message: EnGarde Secure Linux: "[Full-Disclosure] [ESA-20030806-020] 'stunnel' signal handler race denial-of-service."
Previous message: Spoilt JeSuS: "Halflife exploit that provides a shell in fbsd"
Maybe in reply to: Richard M. Smith: "Notepad popups in Internet Explorer and Outlook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 05 2003 - 15:48:39 PDT