IT@TT - Online

Office vulnerable to intruder with HTML skill

This week fate played a cruel hand. And popped up two viral warnings. With the first concerning all Microsoft Office variants including the recently-released Office XP. I think any worm-like behaviour that affects Office XP is worth mentioning. There's no virus as of writing and the issue is still proof-of-concept. But noted Microsoft-basher George Guninski found an ActiveX control object used by Office to be vulnerable to an intruder with some HTML skills.

Guninski is no virus developer. He's just someone who specialises in finding 'holes' in Microsoft ware. According to him the Outlook View Control can be controlled either through an HTML email or a Web page. And if you use Outlook, then an attacker has the ability to view the contents of your Inbox. Guninski's example also pops-up the contents of the top-most email in the folder on your screen!

If you like walking a fine line, check out Guninski's magical code at http://www.guninski.com/vv2xp.html. I did and found that OfficeXP was wide open. I also found that you need to open the URL in IE (or in Outlook using the Web Access toolbar) to view the top-most mail object. It doesn't work if you use the Opera browser and Outlook Express.

The Outlook View Control is an ActiveX object that allows Outlook mail folders to be viewed via web pages. The control is supposed to allow only passive operations such as viewing mail or calendar data. What is odes do is allow HTML script to manipulate Outlook data. The recently released Outlook 2002 E-mail Security Update should plug this leak. Unfortunately, I could test its efficacy as I run a Preview build of XP that doesn't support the patch.

A patch is under development. And Microsoft recommends that users disable the execution of all ActiveX controls in IE's Internet Zone. Use the Tools|Internet Options|Security|Custom Settings to make the change. I suggest that instead of changing setting to a blanket disable, choose prompt. This will also keep you posted on what ActiveX controls are being download when browsing.

That said, if you visit the above URL to see if you too are vulnerable. And nothing happens. Well, email me giving your OS, any patches installed, Office version, and the amount of RAM you have. You don't need to give your name or phone number.

Finally, a few weeks ago the Leaves.Worm was found. It wasn't covered in this column because some free software I found received a high priority. Well, in a twist the same worm is being re-distributed as part of a hoaxed security document purportedly issued by Microsoft. Readers might recall that Symantec and McAfee have been victims of such pranks.

The email bulletin is titled "Microsoft Security Bulletin MS01-037" and mentions a serious virus that affects Windows PCs. To protect against this strain, users are asked to install the attached security patch. This statement by itself should alert you because no vendor ever sends updates by email.

W32.Leave.B is a variant of the W32-Leave.worm and downloads components from Web sites. It also contains code to accept IRC commands. The worm builds on the Sub-Seven Trojan to combine multiple Windows 9x PC to launch Denial of Service (DoS) attacks.

Govind Menon
[email protected]

Top

Other Articles