http://wired.com/news/technology/0,1282,41994,00.html Beware Those Insidious Vcards by Michelle Delio 10:00 a.m. Feb. 23, 2001 PST Those little virtual business cards that some people attach to their e-mails might be dangerous. Microsoft announced Friday that a flaw in its Outlook e-mail program allows crackers to crash or remotely control computers and entire networks, via virtual business cards (Vcards) that harbor malicious code. Vcards containing malformed data can cause any action of the attacker's choice to run on the recipient's machine or a network when a hapless recipient opens them. They can add, change or delete data, communicate with websites, reformat a hard drive, and more. The flaw is located in the segment of the Outlook program that processes Vcards. Microsoft says damage would be limited only by the security permissions a user has set on his or her machine. "Since most people, especially those who aren't backed by a decent security department, typically leave their machines wide open to any security breaches, I'd say there's a lot of fun to be had here," said Andrew Antipass, a security consultant for TechServe. Ollie Whitehouse, managing security architect at @Stake is credited for discovering the flaw, which Whitehouse reported to Microsoft in November 2000. "Microsoft's reaction, as always in these matters, was professional. We worked with them to help them replicate the vulnerability. They in turn developed a patch which they sent to us for testing; additionally they coordinated with us the release of their advisory and our own," Whitehouse said. Typically, when a flaw is discovered that is not widely known and therefore doesn't seem to be an immediate threat, the software company and the discoverer of the flaw will avoid making official announcements until a patch has been developed. Once the announcement has been made, it is crucial for users to apply the patch, as attackers would then be aware of the flaw and will seek to exploit it. Microsoft has released a patch and advises anyone who uses Outlook to download and install the patch immediately. Whitehouse said that this particular programming flaw is not uncommon in Microsoft's products. Atstake has discovered a number of similar vulnerabilities in Microsoft products from Powerpoint to Media Player. Outlook 97 and 2000 and Outlook Express 5.01 and 5.5 contain the "Unchecked Buffer" flaw. An attacker can exploit the flaw by creating a Vcard, and then altering it with a hexadecimal editor to include a long string of data. Normally, when a program's buffer is overrun with random data, the application would simply lock up or crash. But due to that flaw in Outlook's buffer, flooding it with data by way of a Vcard can magically transform the e-mail program into a compliant slave of the cracker, allowing him or her to make Outlook act as a sort of remote control over the affected machine. If a vicious Vcard were opened on a machine whose user was connected to an unsecured network, or if the affected machine were configured to allow it control over a network, the attacker could control anything that is connected to that network. Essentially, the attacker would be a ghost in the machine, with all the rights and privileges that machine's user has. The card does have to be opened to be effective, said Microsoft, and there is no way that it can be coded to open automatically. "So the attacker would need to entice the recipient into opening the mail, then opening the Vcard," Microsoft said in its security bulletin. Unfortunately, given the wide and fast spread of recent viruses like Anna and the Love Bug, it doesn't take much enticing to get computer users to open and click on attachments. And "for reasons that are beyond my mortal abilities to figure out," many people don't consider Vcards to be an attachment, said Antipass. Microsoft plans to issue a full security bulletin on the Vcard problem late Friday.