Results 1 to 6 of 6
  1. #1
    New Lounger
    Join Date
    Mar 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    OfficeXP SP3 - attachments automatically opening. (Outlook XP SP3)

    I might have found a major security flaw in OfficeXP SP3.
    While opening an email with an attachment, the attachment (,txt) automatically opened.
    Hit Forward, attachment opened again, sent the email to a PC in the office that has all the patches up to but not including SP3, opened the email. The attachment did not open, forwarded the email back to the machine with SP3, opened the email and the attachment automatically opened.

    This problem was supposed to be fixed several patches back, all previous patches were installed prior to installing SP3.
    Did MS over write a major patch with OfficeXP SP3.
    By the way, this is a WinXP with all patches installed.
    Who can I report this error to?

    Matt

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: OfficeXP SP3 - attachments automatically opening. (Outlook XP SP3)

    When you say "automatically opens," you mean it opened in Notepad by itself?

    There was a flaw in Internet Explorer that permitted attackers to embed false information in an HTML message to cause this to occur, but it has been patched for over a year. Was it an HTML format message? Is your IE patched up to date?

    If it was a plain text message, it's truly a mystery.

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: OfficeXP SP3 - attachments automatically opening. (Outlook XP SP3)

    Sorry, one more question: do you use Outlook's built-in editor or Word to view/edit messages? I think there was some kind of problem with Word that was patched a while back, too, but I can't recall what versions of Office were affected.

    Okay, one more question: was the message from a trusted source? If you drag the message out to the desktop, and zip it up, could you send it to me at my work address? I'll post it here temporarily: jscher@carrferrell.com?Subject=Evil message for review.

  4. #4
    New Lounger
    Join Date
    Mar 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: OfficeXP SP3 - attachments automatically opening. (Outlook XP SP3)

    Thanks for all the replies, I'll try to answer all the questions.
    Full patched (all Critical Patches + SPs) installed on both WinXP and OfficeXP, added SP3 last week and am testing it before I deploy it to anyone else.
    Yes, Notepad automatically opened!
    Yes, it was a HTML based email, and I seem to remember that this was addressed some time ago, that is why I was so concerned.
    No, I do not use Word to view/edit messages - way to risky.

    After much research and some tips from Microsoft.private.durectaccess.outlook- exchangeclient newsgroup - I went into:
    Outlook -Tools-Options-Security Tab - Clicked on Zone Settings - clicked on Restricted Sites
    Restricted sites was set to Medium instead of High.
    Set to High clicked Ok and went back out to the Inbox
    Tried to open the Email again and the attachment did not auto open.
    Went back in to Restricted Zone and set to medium, opened email again and the attachment automatically opened again.
    I am not sure why I did not have the Restricted Zone set to High (default), but I did not believe it mattered since I have not entered any sites into that zone.
    Changes made to the other Zones, Internet , Local Intranet, Trusted Zone did not matter. Even if I set every other zone to Low and Restricted to High the attachment would not open.

    A few notes:
    1. In the Security window under Restricted Sites - there are NO sites listed. Is there a default list built in that we can not see?
    2. This is not from a trusted site, in fact it was a specially crafted email to take advantage of this hole, luckly my ScanMail server removed the virus and attached a text file telling me the name of the virus. Otherwise I would have been infected, hopefully my desktop virus software would have stopped it once it opened.
    3. Let me know if you still want a copy of this email, since it is from someone unknown and originally contained a virus I will not send unless you specifically request it knowning all the details.

  5. #5
    New Lounger
    Join Date
    Mar 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: OfficeXP SP3 - attachments automatically opening. (Outlook XP SP3)

    Upon further testing I found the specific Security setting in question.
    If "Launching programs and files in an Iframe" is set to Enable or Prompt, the emails attachment will automatically opened.
    You will not be prompted, even if you select Prompt for this setting.
    This was supposed to be fixed in MS01-20 and updated in MS01-27.

    Matt

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: OfficeXP SP3 - attachments automatically opening. (Outlook XP SP3)

    Thanks for the specifics. Not sure how your Restricted Zone got loosened up. It had better not be MS' update, or there are going to be many furious customers!!

    I think the bug that was fixed involved the misdescription of executable files as sounds, or something along those lines. I suspect the fix did not circumvent text content or even HTML content from opening automatically. But I'll admit I didn't go back and study the details.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •