COMMAND

	Internet Explorer and Access allow macros to be executed automatically

SYSTEMS AFFECTED

	 Microsoft Access

	  and

	 Internet Explorer version 5 till version 6. Older versions ?

	 Outlook Express 2000,

	 Outlook Express 98,

	 Outlook 2000,

	 Outlook 98

PROBLEM

	In GFI Security Labs [http://www.gfi.com/] advisory [GFISEC04102001] :
	

	The problem is exploited  by  embedding  a  VBA  code  within  a  Access
	database file (.mdb) within an Outlook Express email file  or  Multipart
	HTML (mht) file.
	

	If the email file is accessed using Internet  Explorer,  the  attachment
	may be automatically executed without triggering  any  security  alerts.
	The exploit will work regardless of the security level (in our labs,  we
	also tested it with High Security and Restricted Zone).
	

	This may be exploited through email by using  an  iframe  tag  or  using
	Active Scripting to call the  malicious  file  through  an  HTML  email,
	allowing Internet Explorer  to  automatically  access  the  exploit  EML
	file.
	

	A live example of the named exploit is available on:
	

	http://www.gfi.com/emailsecuritytest

	

SOLUTION

	 Workaround :

	 ==========

	

	Filtering  HTML   email   for   JavaScript   and   similarly   scripting
	capabilities as well as checking for IFRAME will prevent the exploit  to
	be run through  email.  This  can  be  easily  done  using  GFI\'s  Mail
	essentials & Mail Security for  Exchange  2000.  GFI  Security  Labs
	also recommends  filtering  out  mdb  files.  You  might  also  want  to
	consider blocking access to EML, MHTML and MHT files  through  HTTP  and
	SMTP.
	

	 Patch :

	 =====

	

	http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-005.asp