Unfixed Outlook & IE hole allows XP&Vista user promotion to Admin
March 31, 2007
I’d already decided not to post about this, but then learned more. There is no fix. No work around. I’m vulnerable and at this point, I can’t do anything about it. Even on Vista, just pre-viewing an HTML email in Outlook 2002+ means you are vulnerable. An that’s not just OE but the REAL Outlook used is offices everywhere. You can’t turn off Java Script, or Active X or anything. You don’t even crash. Your system is just pwned…
What does MS have to say?
Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. [...] Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. - http://blogs.pcworld.com/staffblog/archives/003973.html
For Outlook, the only fix Microsoft has is “read all e-mail in plain text rather than HTML”. I know Outlook REALLY well, but I don’t remember a setting that does that. There’s no solution for Internet Explorer. Basicaly any application, even ones that you might have written in Delphi that happen to have a TBrowser component in them that is allowed access to the outside world, is vulnerable. So if you have any custom email programs you’ve written, watch out!
The basic avenue of attack is to display a customized animated cursor. Once you open that email or browse through that site, they gain access to your computer. There is no crash, it just instantly happens. The code can then promote the Limited Access account you are using (because we all only use admin accounts when we need to… Yeah, right!) to an Adminstrator account, and then do whatever they please, from rootkits to personal webservers. Oh! and of course don’t forget that an “animated” cursor can appear to be static. It can look exact your normal cursor.
In the article “ Windows Zero-Day Flaw ‘Very Dangerous,’ Experts Say Bug affecting IE and Windows is potentially very damaging, and there’s no quick fix in sight. “, by Gregg Keizer of Computerworld, there are a couple of good quotes.
“This is a good exploit,” Roger Thompson, CTO of Exploit Prevention Labs
“According to Adrian Stone, an MSRC program manager, Outlook 2007 is invulnerable, as is Vista’s Windows Mail–as long as users don’t reply or forward the attacker’s messages. The SANS Institute’s testing, however, contradicted Microsoft; by SANS’ account, Outlook Express in Windows XP, Windows Mail in Vista, and Outlook 2003 in any version of Windows puts users at risk when they simply preview a malicious message. They don’t have to actually open the message to be in danger of an infection.”
“Worse, we know there are vulnerabilities that can be exploited in Vista to escalate privileges,” said Brown. “All you need is access to the system, which this [animated cursor] provides.” Once inside, said Brown, the attacker could up rights from even a safer local user to administrator privileges. “Then, all bets are off.”
UPDATE:
It seems that eEye Digital Security is taking advantage of the situation and has release a patch if you have their 1 year free personal addtion intrusion software:
Patch Location: Download Now!
Patch Version: 1.0
Patch Source Code: View
The patch prevents the loading of any non local ani files. Well, my intrusion software is somewhat out of date anyway. I’ll give it a try. I’ll let you know if this is another “Scare you till you upgrade” program that is hard to remove.
UPDATE #2: eEye Digital Security is incredible. At first glance, it seems to be professional and high-level. I think it is actually meant to protect your system and not scare your Aunt Martha into buying more and more additions to it. I’m impressed. I’m also sad to say that for the second time since 1985ish when I first got a PC clone (a Compaq Portable Plus with Compaq Dos 2.12 and 10mb HD, if you must know), I actually had a virus detected on any disk or computer in my home. It was one just reported in the wild for the first time at the end of Feb. So my current antivirus software, somewhat out of date, hadn’t picked up on it. Still I guess 2 viruse detections out of all of the stuff I’ve done and all the disks I’ve used and stuff I’ve downloaded, is a pretty good safety record for 2.2 decades.
Comments
6 Responses to “Unfixed Outlook & IE hole allows XP&Vista user promotion to Admin”
Got something to say?
Wow! It amazes me that after all of these years folks are still using these products. Have you tried Mozilla Firefox? How about Mozilla Thunderbird? These products are stable, mature, free, secure, and cross-platform. Addicted to Exchange? Have you tried Communigate Pro? It allows Outlook addicts to connect to Communigate as if it were an Exchange Server.
I’d recommend a fantastic email client called Evolution that has all of the features of Outlook including the ability to connect to both Exchange and GroupWise, but unfortunately the wider CodeGear community still isn’t Linux ready.
Oh well, maybe someday. Until then you could always try an addiction counselor…
At the office, I have no choice. It is Outlook and IE. Period. End of story. No questions asked.
I’m not going to go into the browser war in a comment especially since it gets boring and you’ ve elected concentrate on the email side of things, which I’mmuch more interested in. Besides, yes as a resposible site host, I have installed Firefox (old and new), Opera, Konquerer (my favorite), IE 6, IE7, Maxthon 1 and Maxthon 2 and they are ALL broken in different ways and when I care about how a site looks, I check them all. THEN you should talk to me about browser rants.
Well, setting aside the “Microsoft is evil and you are stupid for running their software” arguments (NOTE: He didn’t say that folks, it’s just a generic quote) that others have made, can you convince me to run Thunderbird? Why should I switch?
I’m more than willing to try Thunderbird if it will match my most important feature requirement: Integration and syncronization of my contact list, and calendar events across my three main machines. IF Thunderbird can allow my PDA to have all of my notes, calendar events, emails, and address lists syncronized with my work computer, which then likewise syncronizes with the events and addresses with my home, I’ll switch at home. Assuming I can import thunderbird can import all of my emails and handle some basic filtering and sorting rules.
I want to be able to add an email address at home and because my PDA is in the cradle, I want it to be brought with me to work and be there when I go to send my next email because the PDA is in the cradle there. I want to be able to fix a phone number on my PDA while I am at church and have it then make its way back to both home and work. I want to be able to type a registration key into my notes when I am working on a computer in a diffent part of the office, and carry it back without thought to my desktop. Likewise, I’d like my cell phone to be able to syncronize to the contact list as well, which mine now does.
As far as I know, there’s no solution to allow this and I don’t have the time or inclination to write one when I have Outlook for free.
> Until then you could always try an addiction counselor…
I’ve shown my required feature set and that I’m not just following the latest turn made by the stampeding masses. Can you do the same? Hmmm? Is that a “Moooo” I herd?
(* Yes, folks that was a pun not a typo
*)
This isn’t an attack David, please don’t read it as one. But /you/ threw down the guantlet… Shall I simply pass it by?
(Oh, look at me getting all old school and forgetting about the italics/emphasis button can be used on the word you.)
Congratulations. You’re one of the few Codegear geeks I’ve corresponded with who are aware that there is life beyond IE. I had no intention of starting a browser ‘flame war’. It’s simply that I find too few people in our community look at browser selection from a perspective of security/functionality/flexibility, and what’s even worse is that it seems that the majority of the community is actually coding their web apps to be dependent on a single browser and platform, as if that’s all there is ever going to be.
Having previously read your credentials, I guess I gave you too much credit for understanding the importance/critical nature of this issue.
Strange that you brought this perspective into the discussion… I have found over the years (almost as many as you) that the only time you hear this type of statement being brought forth is when you have a Windows junkie on the defense who doesn’t realize that the word ‘enterprise’ in our professional context means something other than the latest server version from Microsoft.
To respond, this will probably shock you, but there actually are other types of software running in corporate IT. Enterprise, by it’s very nature implies blends of hardware and software from multiple vendors, as it still isn’t feasible to meet all enterprise IT requirements running just one brand. Nothing said about evil, just the reality that makes up the crazy world of enterprise computing. It seems that this well known fact still escapes much of the BorGear crowd…
You do present some very special requirements for an email client, I did not realize that your needs were so complex. I know that thunderbird has a plugin architecture for which various developers have produced contact synchronization plugins. I don’t think they are as numerous in their support of diverse devices as Microsoft can afford to be; for example you can sync with a palm using PalmSync and HotSync, but this probably wouldn’t be sufficient for your advanced requirements. I wouldn’t however assume that just because one vendor’s software can do this that all other email client vendors can’t do this.
I was a long time, dedicated Outlook user for many years. I gave it up years ago when, while at an Cisco IP Telephony trade show I had to return to work because the national email network – which covered all of the principal compass points in the country – was shut down because some 17 year old kid in the Phillipines wrote and emailed a VB Script that Outlook happily propagated across exchange servers world wide and cost businesses approximately $1 Billion in a 24-hour period.
Whatever happened to critical thinking in the areas of enterprise security planning?
ooo butter and a barb! Very nice! (And that was a lower case b in barb… This isn’t THAT kind of a website.)
Actually, I didn’t think you gave me any credit at all, as I “could always try an addiction counselor”. So, that’s something.
You are right that there are definate security issues involved. There’s no denying that. you are openning your machine to the world. And I was answering with my web designer hat and not from the IT perspective. Still the fact of the matter is that a majority of the folks out there use IE for their surfing. 51.6 % of my visitors in March used IE. That number has remained the same for the last year or so. FireFox comes in at 32%. So, if Microsoft doesn’t jump on this, there’s gonna be repercussions. It’s just good that FireFox has no support for animated cursors.
err… http://www.google.com/search?hl=en&q=Micro%24oft
No doubt. I associate with many folks that have helped their corporation move away from the MS world. That’s just not the situation where I work and I am in the production world here not on the IT staff.
Actually, I didn’t realize they’d gotten HotSync to work. If that’s possible now, that should be all I need to have. HotSync itself should be able to handle the rest. I will be giving Thunderbird a try. Thanks for that tidbit!
>Whatever happened to critical thinking in the areas of enterprise security planning?
It was taken over by the lure of large suites of applications and the promise that “single source solutions” would improve interoperablity and eliminate all incompatiblities between each program. It sounds promissing doesn’t it?
Man, sure is tough running a blog, isn’t it? Nobody cuts you any slack!
Ah, the burdens we must bear in this modern world.
Cheers mate!