Results 1 to 11 of 11
  1. #1
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Guninski Script Exploit on Reply/Forward (2000/1a)

    WOW #7.14 mentions a vulnerability in Office XP with Word as the e-mail editor. I tested this with an HTML message in Outlook 2000 with Outlook as the editor, and the security works, but when I tried it in WordMail, the script runs. And runs. And runs. In fact, I had to shut down all my application to get it to stop running.

    Here is Picture #1:
    Attached Images Attached Images

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Guninski Script Exploit on Reply/Forward (2000/1a)

    Here is Picture #2. Apparently the security model doesn't work: placing Outlook messages in the Restricted Zone does not carry over to Word when composing a message, which is relevant in the case of a reply or forward.
    Attached Images Attached Images

  3. #3
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Guninski Script Exploit on Reply/Forward (2000/1a)

    i founs that out last week when guninski first relased it on the ntbugtraq list.

    it's only a problem with wordmail, so if you disable word as the editor, your ok. Also, since it's really a word exploit, it's not limited to email. if someone sends you a doc with it in, you're at risk.

    Good news is that as of yesterday all exchange server AV scanners scan for the exploit. I presume the desktop scanners do the same.

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Guninski Script Exploit on Reply/Forward (2000/1a)

    Based on further experiments, it appears that WordMail opens in the Internet Zone. If you require a prompt for Active Scripting in the Internet Zone, or disable Active Scripting entirely (where is rmrucker?), then scripts will not run automaticlaly in WordMail.
    Attached Images Attached Images

  5. #5
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Guninski Script Exploit on Reply/Forward (2000/1a)

    Always here! that is strange. WordMail always opens in the Internet zone even if Outlook is set up to be in the Restricted sites. Not good. Thanks for the information.

  6. #6
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Guninski Script Exploit on Reply/Forward (2000/1a)

    it's because word uses the internet zone (or possbile the more trusted my ccomputer zone) - and the word settings take over, not the outlook security settings.

  7. #7
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Guninski Script Exploit on Reply/Forward (2000/1a)

    I would suspect it uses the the My Computer zone; that would make the most sense. Therefore, modifying the Interent zone settings would not be protective. And modifying the My Computer zone settings is "functionally prohibitive"...

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Guninski Script Exploit on Reply/Forward (2000/1a)

    Originally, I thought that too, but changing the My Computer zone settings had no effect whatsoever on the Guninski script. (And it's so irritating that the Security dialog doesn't enlarge when you make the My Computer zone visible!)

    I wondered how Windows was interpreting this, and thought perhaps Word was reading/writing to the IE/Outlook cache folders. But it wasn't. It was reading/writing the Drafts folder in the PST just as you would with the Outlook editor. So... beats me why it treats it as the Internet zone rather than the Restricted zone.

    Note: the above relates only to replies and forwards to e-mail messages. Documents opened from the C drive or a local server undoubtedly would be My Computer and Intranet zone files, respectively. Unfortunately, the cost of dealing with this in those contexts is too high: too many irritating prompts! (Try using HTML help with Active Scripting and ActiveX prompts in the My Computer zone, and you'll soon lose your marbles.)

  9. #9
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Guninski Script Exploit on Reply/Forward (2000/1a)

    I completely agree!! I think Woody says it right -- forget about "WordMail".

  10. #10
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Guninski Script Exploit on Reply/Forward (2000/1a)

    Because word uses the internet zone... reading mail uses the outlook editor and restricted zone. When you compose mail with word, you are using word OM, not outlook's, and as a result, are using word's zone. Normally, when you work in word, you'd want it in a less restrictive zone.

    I would never change the my computer zone settings, but we do disable active content in internet zone and add sites to trusted, where everything is allowed.

  11. #11
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Guninski Script Exploit on Reply/Forward (2000/1a)

    > Word uses the internet zone

    WordMail definitely uses the Internet zone, and when I open the test message directly into Word as an HTML file from my desktop, Word also applies Internet zone security, rather than, say, My Computer zone security.

    But this still is confusing to me. The Guninski example contains an <OBJECT> tag which loads an ActiveX WebBrowser control which then executes the script. Word does not balk at loading the ActiveX control in the message/page that creates a web browser, regardless of the settings for ActiveX controls in the Internet zone or in the My Computer zone. It appears not to view the instantiation of objects as an Internet Explorer-related activity. It is only when that embedded web browser control executes a script that IE zones seem to kick in. I don't have the kinds of tools that could parse the various processes and determine what code library is running at the moment I get the scripting prompt; I suspect it is not Word, but IE.

    So I think Word itself doesn't check security zones when opening documents. But since Word does not normally run scripts in Word or HTML documents, this all may be of limited concern. The problem posed by the Guninski example is that Word tries to convert the OBJECT to a field, completely blind to (1) the source of the file (Outlook) and (2) the nature of the OBJECT. If I open the test page through a macro (attached), I can determine whether the page contains that specific control. Unfortunately, using this method I cannot read its parameters, so I don't know whether it contains SCRIPT tags or merely passive content. (There's a property of the document called HTMLProject, but I haven't dug into it enough to determine whether that provides the details.) If I were in the habit of opening a lot of strange HTML pages in Word (I use Word to open web pages as HTML very rarely), I'd check for all use of ActiveX controls.

    If one is using WordMail, such a macro probably is impotent, BUT as long as inbound messages are read in the Restricted Zone, you should get a big security warning when you read the message. At that point, you should NOT hit reply or forward. Instead, it makes sense to copy and page into a new message. Or...better yet, as everyone is saying, don't use WordMail.
    Attached Files Attached Files

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •