TUCoPS :: Windows Apps :: vv2xp.txt

Office XP / MSIE - Malicious ActiveX controls lead to arbitrary code execution


Georgi Guninski security advisory #49, 2001

MS Office XP - the more money I give to Microsoft, the more vulnerable
my Windows computers are

Systems affected:

Win2K + IE 5.5 SP1 fully patched + Office XP.

It was reported to work with IE6 beta also.

Risk: High

Date: 12 July 2001

Legal Notice:

This Advisory is Copyright (c) 2001 Georgi Guninski.

You may distribute it unmodified.

You may not modify it and distribute it or distribute parts of it
without the author's written permission.

Disclaimer:

The information in this advisory is believed to be true based on
experiments though it may be false. The opinions expressed in this
advisory and program are my own and not of any company. The usual
standard disclaimer applies, especially the fact that Georgi Guninski is
not liable for any damages caused by direct or  indirect use of the
information or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this
advisory or program or any derivatives thereof.

If you want to link to this advisory or reference it use the URL:
http://www.guninski.com/vv2xp.html

The above especially applies for companies like Mitre and BugNet

Background:

Recently I bought Office XP.

It was quite unpleasant feeling giving so much money for so buggy
product.

Description:

If a user visits a specially designed html page with IE or opens or
previews a message with Outlook XP arbitrary commands may be executed on
his computer. This may lead to taking full control over user's computer.
Using another approach to this bug allows reading, modifying and
deleting messages in user's Outlook XP folders.

Details:

The problem is again ActiveX. This time Office XP seems to install a
malicous ActiveX control - "Microsoft Outlook View Control". This
control exposes property named "selection" which gives access to user's
mail messages. It also exposes the Outlook "Application" object which
may lead to execution of arbitrary programs of the user's computer.

Examine the script below for more information

Demonstration:

http://www.guninski.com/vv3-2demo.html

-----------------------------------------------------
This assumes you have at least one message in Outlook XP's Inbox
<br>
<object id="o1"
   classid="clsid:0006F063-0000-0000-C000-000000000046"
>
<param name="folder" value="Inbox">
</object>
<script>
                                                                                                                                                                                                                                                                                                                                                                                                         
</script>
-----------------------------------------------------

Solution:
Uninstall Office XP and Windows.
Vendor status:
Microsoft was informed on 9 July 2001.
As far I could understand they are still investigating my report.

Regards,
Georgi Guninski
http://www.guninski.com


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH