OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Microsoft Word Email Object Data Vulnerability

From: Drew Copley (dcopleyEEYE.COM)
Date: Fri Jul 09 2004 - 14:00:56 CDT

 

> -----Original Message-----
> From: James C Slora Jr [mailto:Jim.Sloraphra.com]
> Sent: Friday, July 09, 2004 11:43 AM
> To: Drew Copley; James C. Slora, Jr.;
> bugtraqsecurityfocus.com; 'Windows NTBugtraq Mailing List'
> Subject: RE: Microsoft Word Email Object Data Vulnerability
>
> I found the exploit in the wild, and backed into the
> explanation. The OBJECT
> spam that has been common since May 15 was what drew my
> attention to it.
> Logs showed hits to the hostile sites from spam mentioned in
> Clearswift's
> June 7 advisory. I tracked down the users who had generated
> the hits and
> found that the behavior only happened for users who forwarded
> their spam to
> their mail administrator to get it blocked.
>
> Clearswift and MessageLabs issued advisories about a large
> volume of hostile
> spam the first weekend in June. Their advisories mentioned a
> very narrow
> range of spam, but a search through archives showed the
> exploit had been
> circulating in ALL kinds of spam since at least May 15.
>
> The missing /OBJECT caused the OBJECT tags to escape
> filtering from a number
> of products and mail screening services. I think this was the
> main intent of
> the spammers. The Word forwarding vulnerability may or may
> not have been
> outside the scope of what they were originally trying to
> accomplish. The
> messages did clearly target gullible or uninformed people who
> wanted to stop
> their spam though, considering the unsubscribe link also pointed at a
> hostile page.

Honestly, the "object data" bug may be known by some people
in the security world, but your everyday person has no idea
of what it is. This means your average spammer, even >99% of
your spammers would not know what it is. Even talking to security
people, they may have heard of it, but they don't understand
it is. They don't know what these fields are for or what
Microsoft's "MIME magic" is. They don't deal with it at work,
so why should they?

So, when I see something like this exploited in the wild, besides
it being extremely rare... this is disturbing. Because it lifts
the unknown vulnerability count up. I do not recall this bug
being posted of before.

You may be right, it could be an accident.

I would like to see what kind of trojan this is installing.

(I do not think it is likely an accident, though.)

>
> I agree it is a pretty big deal, because spammers live by
> overcoming odds
> with volume and social engineering.
>
> Examples of the spam that was/is circulating:
> http://archives.neohapsis.com/archives/bugtraq/2004-06/0091.html
> (Please ignore the embarrassingly ignorant last paragraph of
> that post)

Unfortunately, no example of the trojan.

BTW, the closing object tag is not normally required in html,
just tested here. So, they may have done that just for brevity
or for munging.

>
> At the time of that post I had not yet figured out why we got
> execution in
> some cases.

You should not get execution because the bug should be fixed.

It should not run anywhere.

It took them a long time to fix this bug. It was very disconcerting
to see a variant discovered a week after they released the fix,
already. (Http-equiv's variant... yes, the usual suspects...)

>
> Microsoft rekindled investigation of the bug this morning.
> Maybe I didn't
> wait long enough for the last response - it was just short of
> a week after I
> appealed for continued investigation, and a day after I went ahead and
> posted to Bugtraq.

<snip>

If it is in the wild, the public really needs to know. Not that
I saw you say otherwise... but, just to make sure...

It is very good to hear they are working on this. It has been
extremely frustrating to see them ignore these smaller issues
like they have been.

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----