More buffer fun with e-bizcards this time
Blank Frank
bfk at mindspring.com
Fri Feb 23 11:03:05 PST 2001
http://wired.com/news/technology/0,1282,41994,00.html
Beware Those Insidious Vcards
by Michelle Delio
10:00 a.m. Feb. 23, 2001 PST
Those little virtual business cards that some people attach
to their
e-mails might be dangerous.
Microsoft announced Friday that a flaw in its Outlook e-mail
program
allows crackers to crash or remotely control computers and
entire
networks, via virtual business cards (Vcards) that harbor
malicious
code.
Vcards containing malformed data can cause any
action of the attacker's choice to run on the
recipient's machine or a network when a
hapless
recipient opens them. They can add, change or
delete data, communicate with websites,
reformat a
hard drive, and more.
The flaw is located in the segment of the
Outlook
program that processes Vcards. Microsoft says
damage would be limited only by the security
permissions a user has set on his or her
machine.
"Since most people, especially those who
aren't
backed by a decent security department,
typically
leave their machines wide open to any
security
breaches, I'd say there's a lot of fun to be
had
here," said Andrew Antipass, a security
consultant
for TechServe.
Ollie Whitehouse, managing security architect
at
@Stake is credited for discovering the flaw,
which
Whitehouse reported to Microsoft in November
2000.
"Microsoft's reaction, as always in these
matters,
was professional. We worked with them to help
them replicate the vulnerability. They in
turn
developed a patch which they sent to us for
testing;
additionally they coordinated with us the
release of
their advisory and our own," Whitehouse said.
Typically, when a flaw is discovered that is
not
widely known and therefore doesn't seem to be
an
immediate threat, the software company and
the
discoverer of the flaw will avoid making
official
announcements until a patch has been
developed.
Once the announcement has been made, it is
crucial
for users to apply the patch, as attackers
would then
be aware of the flaw and will seek to exploit
it.
Microsoft has released a patch and advises
anyone
who uses Outlook to download and install the
patch
immediately.
Whitehouse said that this particular
programming
flaw is not uncommon in Microsoft's products.
Atstake has discovered a number of similar
vulnerabilities in Microsoft products from
Powerpoint
to Media Player.
Outlook 97 and 2000 and Outlook Express 5.01
and
5.5 contain the "Unchecked Buffer" flaw. An
attacker
can exploit the flaw by creating a Vcard, and
then
altering it with a hexadecimal editor to
include a
long string of data.
Normally, when a program's buffer is overrun
with
random data, the application would simply
lock up
or crash. But due to that flaw in Outlook's
buffer,
flooding it with data by way of a Vcard can
magically transform the e-mail program into a
compliant slave of the cracker, allowing him
or her
to make Outlook act as a sort of remote
control over
the affected machine.
If a vicious Vcard were opened on a machine
whose
user was connected to an unsecured network,
or if
the affected machine were configured to allow
it
control over a network, the attacker could
control
anything that is connected to that network.
Essentially, the attacker would be a ghost in
the
machine, with all the rights and privileges
that
machine's user has.
The card does have to be opened to be
effective,
said Microsoft, and there is no way that it
can be
coded to open automatically.
"So the attacker would need to entice the
recipient
into opening the mail, then opening the
Vcard,"
Microsoft said in its security bulletin.
Unfortunately, given the wide and fast spread
of
recent viruses like Anna and the Love Bug, it
doesn't
take much enticing to get computer users to
open
and click on attachments.
And "for reasons that are beyond my mortal
abilities
to figure out," many people don't consider
Vcards to
be an attachment, said Antipass.
Microsoft plans to issue a full security
bulletin on the
Vcard problem late Friday.
More information about the cypherpunks-legacy
mailing list