[LINK] How Outlook 2002 can still execute JavaScript in an HTML email message

Rick Welykochy rick@praxis.com.au
Fri, 22 Mar 2002 11:25:35 +1100 

On the topic of Microsoft and their job ahead in securing its systems, here is
a typical security bulletin, one of many I read weekly on BUQTRAQ. I've snipped
it for brevity.

In plain English: the Media Player can be used to crippled security mechanisms
in the Mail Reader to send virii and worms on the Internet (!) ... who would
have thought?

When one contemplates the number of possible interactions between all of the
tightly-coupled non-system components in a W2K (or other Win) systems, replete
with patches and different software versions of .DLLs and system components,
the mind simply boggles.

cheers
rickw



-------- Original Message --------
Subject: How Outlook 2002 can still execute JavaScript in an HTML email message
Date: Thu, 21 Mar 2002 14:47:56 -0500
From: "Richard M. Smith" <rms@computerbytesman.com>
To: <bugtraq@securityfocus.com>

Hello,

Windows Media Player (WMP) reintroduces the ability to automatically
execute JavaScript code from an HTML email message in Outlook 2002.
JavaScript is disabled by default in Outlook 2002, because it can
facilitate the creation of worms and other malicious code which is
carried by HTML email messages.  Using a number of simple tricks, WMP
can be used to bypass the Outlook security settings and still
automatically execute JavaScript, Java, and ActiveX code in an HTML
email message.

Here is an outline of the steps needed to exploit this problem:

1.  An IFRAME tag is inserted into an HTML email message that
    references a Windows Media Skin (.WMS) file.  The .WMS
    can be loaded either from a Web site or from an attached
    file to the email message using the CID: protocol.  (Note: 
    I have only tested downloading a .WMS file from a Web site.)

2.  Because .WMS files are considered safe by Windows, WMP will
    automatically be started by Outlook and it will be passed
    the .WMS file.

3.  The .WMS file contains a short bit of JavaScript code
    in an onload handler which runs a Web page using the 
    player.LauchURL() method.  This onload handler is 
    automatically executed when WMP opens the .WMS file.  
    
4.  The Web page from step 3 can be loaded from a Web site, or 
    the source code of the Web page can be embedded in the .WMS file
    using the "about:" or "javascript:" protocol.  
[SNIP]

Workarounds

The only work-around that I am aware of is to manually mark each Windows
Media file type as not safe-for-opening.  This process is going to be
prone to errors since there are about 10 file types that need to fixed. 

Richard M. Smith
http:/www.ComputerBytesMan.com