On Fri, 30 Mar 2001, Juan Carlos Garcia Cuartango wrote:
> Hi, Microsoft has released a security bulletin
> http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
> entitled "Incorrect MIME Header Can Cause IE to Execute E-mail
> Attachment". EML files are MIME multipart files that IE 5 will parse.
> There is a vulnerability allowing arbitrary code execution using this
> kind of files. This vulnerabiliy could allow an hostile page or e-mail
> to perform any action on your computer. The vulnerability affects IE
> 5, IE 5.5 over all windows platforms. I have prepared some demos about
> the vulnerability in www.kriptopolis.com (major spanish security site)
> : http://www.kriptopolis.com/cua/eml.html Note : It you want to have a
> look to the hostile EML files you must click the right mouse button
> over the pictures and select the "Save Target As" menu option.
> Regards, Juan Carlos G. Cuartango
Test system; Windows 2000 Service Pack 1 with Internet Explorer 5.5 SP1
The files on forementioned website are 'EML' files. When I save these
files on the test system and browse to them using My Computer (meaning
single, left clicking on the file), the exploit runs because the file is
automatically previewed in the left autopreview frame feature of Explorer.
Thats only really generic feedback, but it does mean, for example, I can
place a bunch of malicous .EML files in a folder, and wait for people to
click on the file. Voila, owned. What's slightly more serious is even if
you Right Click on the filename (to open it in Notepad or set file
properties, for example), it is still auto previewed and the exploit still
runs.
Gossi.
