24th Feb 2003 [SBWID-6020]
COMMAND
	IE Shared codebase of (eg. in Outlook) allows silent delivery  and  exec
	of code
SYSTEMS AFFECTED
	Windows current ?? (as of 24 Februrary 2003)
PROBLEM
	http-equiv [[email protected]] [http://www.malware.com] posted :
	Technical silent delivery and installation of an  executable  no  client
	input other than reading  an  email  or  viewing  a  newsgroup  message.
	Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever.
	This should not be possible.
	When viewing an email message or a newsgroup  message,  Outlook  Express
	creates a temp file in the Internet Explorer cache. From  here  security
	should be governed by Internet Explorer's security settings.
	In an html email with internet zone applied, this will not function:
	
	<o bject classid="clsi d:1 1 1 1 1 1 1 1-1 1 1 1-1 1 1 1-1 1 1 1" 
	code base="C:WINDOWSFTP.EXE"></object>
	
	[screen shot: http://www.malware.com/tsktsk.png 11KB]
	In an html  email  message  or  newsgroup  message  with  internet  zone
	applied this will function:
	
	<xml id=oExec> <security><exploit> <![CDATA[ <o bject id="oFile" 
	classid="clsi d:1 1 1 1 1 1 1 1-1 1 1 1-1 1 1 1-1 1 1 1"
	code base="C:WINDOWSFTP.EXE"></object>]]></exploit></security></xml>
	<SPAN dataFld=exploit dataFormatAs=html 
	dataSrc=#oExec></SPAN>
	
	courtesy of: http://sec.greymagic.com/adv/gm001-ie/
	[screen shot: http://www.malware.com/tsktsktsk.png 11KB]
	NOTE: that default  installations  of  Outlook  Express  6.00  are  with
	restricted zone applied. However there still remain many 'happy  people'
	out there that  enjoy  their  html  mail  messages  and  html  newsgroup
	messages, and coupling the  above  with  any  one  of  a  million  other
	unsolved problems now and in  the  future  with  Internet  Explorer  and
	Outlook Express, including a new  http://www.malware.com/stench.html  we
	are back in business.
	Notes: This is supposed to be patched:
	
	http://microsoft.com/technet/security/bulletin/MS02-015.asp 28 March 2002
	
	-Also-
	Thor  Larholm  PivX  Solutions  [http://www.pivx.com],  LLC   -   Senior
	Security Researcher explains :
	The culprit here is  the  codebase  localPath  vulnerability  which  was
	patched in Internet Explorer by MS02-015 in March  2002.  GreyMagic  had
	more fun with this at http://security.greymagic.com/adv/gm001-ie/  which
	is also the origin of the example displayed.
	MS02-015  crippled  codeBase  quite  severely  in   Internet   Explorer,
	completely removing most of its functionality in the Internet  Zone.  It
	is still possible to use this vulnerability in Internet Explorer in  any
	local security zone, but getting to that zone in the first place  is  in
	itself an obstacle.
	Whatever Microsoft  patched  in  MS02-015  (crippling  codeBase  in  the
	Internet Zone to avoid the command  execution  vulnerability)  was  only
	applied to the IE-specific parts of MSHTML and not to any  shared  parts
	that thirdparty programs such as Outlook and  Outlook  Express  utilize.
	This despite our impression that MS02-015 removed the problem.
	This is apparent if you examine Outlook  2000  which  can  also  execute
	arbitrary commands automatically upon reading mails if you have set  the
	security zone to the Internet  Zone  -  just  like  Outlook  Express  as
	displayed by http-equiv
	The default security zone for Outlook 2000 is the Internet Zone.  It  is
	first after you apply Office 2000 Service Pack 3 that the  default  zone
	is changed to the Restricted zone, so remember either  to  apply  O2KSP3
	or manually change your zone settings to  Restricted  at  your  earliest
	convenience.
	Does Eudora still use the Internet Zone for viewing HTML  mail?  If  so,
	it  is  also  still  vulnerable  to  the  codeBase   command   execution
	vulnerability, like any other application that is embedding MSHTML.
SOLUTION
	?