OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: possible new "e-mail virus" concept ? + bypassing IE settings
From: Josemiguel.GilICEX.ES
Date: Thu May 18 2000 - 04:00:20 CDT

Hi Listmembers,

        as Jaro says, checking attached files to our e-mails will not be the
unique task we should perform to prevent our computers from being infected.
Embedding scripting code into HTML e-mails could be the next ILY-type
virus-wave!! W98/2000 machines and W95 w/IE5.0 or W95 w/WSH engine installed
are potential targets.

        Anyway, you *can* avoid script (VBScript and/or JScript) code from
execution while previewing or reading mails also -as you do with Netscape-
using Outlook 98/2000 without affecting that behavior in the browser (MS
Explorer). Outlook/Tools/Options/Security will allow you to choose between
Internet Zone and Restricted Sites Zone for setting Outlook security.

        Once you have made your selection (Restricted sites Zone is strongly
recommended) using Tools/Options/Security/Zone Settings you will be able to
modify and set a more acurate security policy. (By default, ActiveX
components (signed or not) cannot run in this zone).

        Microsoft is taking his first-step towards a more secure e-mail
reading (http://www.officeupdate.com/2000/articles/out2ksecarticle.htm)
Meanwhile, changing the settings descripted above is on our hands and will
make our security stronger.

        For enterprise-wide deployment you can use several tools to modify
the registry*:

                * .reg on logon servers
                * SMS Installer w/SMS
                * poledit with ntconfig.pol and/or config.pol
                * ...

*Registry Keys involved:

[Internet Security Zones]

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\xxx\yyy.
                 xxx=0 for My Computer
                 xxx=1 for Local Intranet Zone
                 xxx=2 for Trusted Sites Zone
                 xxx=3 for Internet Sites Zone
                 xxx=4 for Restricted Sites Zone

        You can check the names and REG_DWORD values of yyy keys against
current Security Settings text values in Internet Explorer to identify the
settings you want to set. Usually values for yyy keys are 0x0 for "Enabled",
0x1 for "Prompt" and 0x3 for "Disabled".

[Outlook Security Zone Selected]

HKCU\Software\Microsoft\Office\8.0\Outlook\Options\General\Security Zone\xxx
for Outlook 98
HKCU\Software\Microsoft\Office\9.0\Outlook\Options\General\Security Zone\xxx
for Outlook 2000
                 xxx=3 for Internet Sites Zone
                 xxx=4 for Restricted Sites Zone

regards,

José Miguel Gil
Dpto. de Sistemas
ICEX

-----Mensaje original-----
De: Jaro Sterbik-Lamina [mailto:jaroHALLOWEB.AT]
Enviado el: Wednesday, May 17, 2000 4:16 PM
Para: win2ksecadviceLISTSERV.NTSECURITY.NET
Asunto: Re: possible new "e-mail virus" concept ? + bypassing IE
settings

great idea!
as far as i remember it's also possible to call java scripts or activex from
an image tag within an html page. think this was a problem a while ago for
users of web based e-mail services like microsoft's hotmail. with something
like that, you could do a lot of damage, too.
during the past days/weeks when the iloveyou hit e-mail users around the
world i wondered whether it's possible to call a virus script by embedding
it into an html mail. most mail clients will display an html formatted mail
without asking further questions. embedding a java script into a mail
shouldn't be too difficult...
that's why i like the possibility to turn off java script for mails
seperately to the browser (like it's found in netscape...)
rgds,
jaro

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net