Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Microsoft Security Bulletin MS03-035
From: Andreas Marx <amarx () gega-it de>
Date: Thu, 04 Sep 2003 22:09:39 -0700


I just saw the couple of security updates Microsoft has released today. And comments like this (from MS03-035):

 - By default, Outlook 2002 block programmatic access to the
   Address Book. In addition, Outlook 98 and 2000 block
   programmatic access to the Outlook Address Book if the Outlook
   Email Security Update has been installed. Customers who use any
   of these products would not be at risk of propagating an e-mail
   borne attack that attempted to exploit this vulnerability.

They are so painly WRONG with such statements!!!

Almost every newly released e-mail virus/worm is able to bypass this Outlook "security" feature easily. Simply, because these viruses do not rely on the Outlook functions (using MAPI -- and only these MAPI functions are "protected") to get the e-mail addresses, but they are browsing the whole file (in binary mode) instead of this. And they are very successfull with this method, plus looking for (possible) e-mail adresses in other files (Browser Cache, other common mail applications), too. NO OUTLOOK/OFFICE FEATURE BLOCKS ATTACKS LIKE THIS!

Additionally, the process to send out virus/worm-infected mails is very easy, too. Almost every virus author tries to avoid using the partly "protected" MAPI functions to send out their nasty stuff, but instead of this, these malwares have an own SMTP engine for ages now. Again: NO OUTLOOK/OFFICE FEATURE BLOCKS ATTACKS LIKE THIS!

I cannot understand why Microsoft adds comments like this in their Security Bulletins. Almost all viruses by-passes these Outlook "protection" features for ages now - I'm not speaking about months, but about several YEARS. It looks like that MS hasn't realised this problem yet or they are simply ignoring it. <sigh>

Therefore, customers are at a HIGH RISK if they are using Internet Explorer for web browsing and have one of the affected Office versions installed on their PCs. We were able to get an old macro virus running automatically using the information eEye and others have released. WITHOUT any kind of warning the worm was able to infect our system and tried to send out lots of infected mails at the same time! You only need to open a file (click on the DOC attachment in OE/Outlook) or open a web page (Word will start automatically after one or two seconds).

[Of course, we have tested this in our high-security virus test labs only, without Internet access, so the virus was only able to spread internally.]

I would rank this vulnerabilty not only as important, but as being CRITICAL. I'm sure, we'll see new viruses/worms and authors of malicious websites (e.g. for expansive porn dialers) soon which would try to exploit this vulnerability (and the other ones mentioned) soon. It is as important to apply these patches as to apply the latest cummulative IE update. I hope, Microsoft will think about the facts again and raise the risk ratings and remove such a unhelpful "mitigating factors" asap.

I hope that some av companies will add detection for these kind of exploits, too, to generically block such modified files. (Most av vendors already tried to add detection for similiar exploits.)

Andreas Marx
Head of the Anti-Virus Test Center at the University of Magdeburg, Germany
Andreas Marx <amarx () gega-it de>, http://www.av-test.org
I'm in the US right now and not reachable by phone or fax.

  By Date           By Thread  

Current thread:
  • Re: Microsoft Security Bulletin MS03-035 Andreas Marx (Sep 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]