Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Microsoft Security Bulletin MS03-035

From: Andreas Marx (amarxgega-it.de)
Date: Fri Sep 05 2003 - 00:09:39 CDT


I just saw the couple of security updates Microsoft has released today. And
comments like this (from MS03-035):

> - By default, Outlook 2002 block programmatic access to the
> Address Book. In addition, Outlook 98 and 2000 block
> programmatic access to the Outlook Address Book if the Outlook
> Email Security Update has been installed. Customers who use any
> of these products would not be at risk of propagating an e-mail
> borne attack that attempted to exploit this vulnerability.

They are so painly WRONG with such statements!!!

Almost every newly released e-mail virus/worm is able to bypass this
Outlook "security" feature easily. Simply, because these viruses do not
rely on the Outlook functions (using MAPI -- and only these MAPI functions
are "protected") to get the e-mail addresses, but they are browsing the
whole file (in binary mode) instead of this. And they are very successfull
with this method, plus looking for (possible) e-mail adresses in other
files (Browser Cache, other common mail applications), too. NO

Additionally, the process to send out virus/worm-infected mails is very
easy, too. Almost every virus author tries to avoid using the partly
"protected" MAPI functions to send out their nasty stuff, but instead of
this, these malwares have an own SMTP engine for ages now. Again: NO

I cannot understand why Microsoft adds comments like this in their Security
Bulletins. Almost all viruses by-passes these Outlook "protection" features
for ages now - I'm not speaking about months, but about several YEARS. It
looks like that MS hasn't realised this problem yet or they are simply
ignoring it. <sigh>

Therefore, customers are at a HIGH RISK if they are using Internet Explorer
for web browsing and have one of the affected Office versions installed on
their PCs. We were able to get an old macro virus running automatically
using the information eEye and others have released. WITHOUT any kind of
warning the worm was able to infect our system and tried to send out lots
of infected mails at the same time! You only need to open a file (click on
the DOC attachment in OE/Outlook) or open a web page (Word will start
automatically after one or two seconds).

[Of course, we have tested this in our high-security virus test labs only,
without Internet access, so the virus was only able to spread internally.]

I would rank this vulnerabilty not only as important, but as being
CRITICAL. I'm sure, we'll see new viruses/worms and authors of malicious
websites (e.g. for expansive porn dialers) soon which would try to exploit
this vulnerability (and the other ones mentioned) soon. It is as important
to apply these patches as to apply the latest cummulative IE update. I
hope, Microsoft will think about the facts again and raise the risk ratings
and remove such a unhelpful "mitigating factors" asap.

I hope that some av companies will add detection for these kind of
exploits, too, to generically block such modified files. (Most av vendors
already tried to add detection for similiar exploits.)

Andreas Marx
Head of the Anti-Virus Test Center at the University of Magdeburg, Germany
Andreas Marx <amarxgega-it.de>, http://www.av-test.org
I'm in the US right now and not reachable by phone or fax.