dleblancMINDSPRING.COM

• Next message: Georgi Guninski: "Re: MS Word and MS Access vulnerability - executingarbitraryprograms, may be exploited by IE/Outlook"
• Previous message: Jesper M. Johansson: "Re: MS Word and MS Access vulnerability"
• In reply to: Georgi Guninski: "Re: MS Word and MS Access vulnerability - executing arbitraryprograms, may be exploited by IE/Outlook"
• Next in thread: Georgi Guninski: "Re: MS Word and MS Access vulnerability - executingarbitraryprograms, may be exploited by IE/Outlook"
• Reply: David LeBlanc: "Re: MS Word and MS Access vulnerability - executing arbitraryprograms, may be exploited by IE/Outlook"
• Reply: Georgi Guninski: "Re: MS Word and MS Access vulnerability - executingarbitraryprograms, may be exploited by IE/Outlook"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 06:34 PM 8/7/00 +0300, Georgi Guninski wrote:
>"Jesper M. Johansson" wrote:

>> Word documents do not even open automatically in IE if it has been
>> configured properly. The default is to save them to disk first, which means
>> they get executed locally. That means that if the firewall is configured
>> correctly UNC paths to the database do not work.

>For me the following works only in IE (and Outlook) and not other
>browsers:

But presumably if I mailed you one of these documents, and then you opened
it, then the exploit would fire, so it would seem to me that even if one
were using AOL, Netscape, or some other mail reader that the problem would
be the same all over with respect to mail readers, since the issue is
really opening a Word document with an embedded database. Delivery
mechanism is immaterial.

BTW, do you still work for AOL/Netscape? I'd heard you were over there.

>If the firewall is configured to not allow outbound netbios traffic, the
>attack shall not work on Internet, but IMHO the main function of a
>firewall is to protect from inbound traffic and generally allow outbound
>access.

It has been known for some time that certain outbound traffic should be
regulated. There have been a number of potential attacks revolving around
getting people to go to an SMB share that you control (announced several
years ago, and documented in Hobbit's LM paper, among others).

This is one of several reasons why proxies are gaining in popularity - it
allows you to have much better control over the traffic going out of your
network.

Additionally, regulating outbound traffic is smart under a lot of different
circumstances - for example, I don't want a web server making any outbound
connections. It won't normally do so, and preventing it will foil a number
of attacks.

>What do you think about performing this attack on a large LAN?

I think that yelling fire in a crowded theatre will create mayhem and
possibly get people hurt. This is one reason why I think it is a really
good idea to give people time to fix things before announcing
vulnerabilities - I'd like to help people make things more secure.

David LeBlanc
dleblancmindspring.com

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Next message: Georgi Guninski: "Re: MS Word and MS Access vulnerability - executingarbitraryprograms, may be exploited by IE/Outlook"
• Previous message: Jesper M. Johansson: "Re: MS Word and MS Access vulnerability"
• In reply to: Georgi Guninski: "Re: MS Word and MS Access vulnerability - executing arbitraryprograms, may be exploited by IE/Outlook"
• Next in thread: Georgi Guninski: "Re: MS Word and MS Access vulnerability - executingarbitraryprograms, may be exploited by IE/Outlook"
• Reply: David LeBlanc: "Re: MS Word and MS Access vulnerability - executing arbitraryprograms, may be exploited by IE/Outlook"
• Reply: Georgi Guninski: "Re: MS Word and MS Access vulnerability - executingarbitraryprograms, may be exploited by IE/Outlook"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]