From: "Geo." 

From one of the security lists:

Monday, May 17, 2004

Technical final step to 'silent delivery and installation of an executable
on the target computer, no client input other than reading an email' this
can be achieved with the highly touted 'secure-by-default'  Outlook 2003
mail client from the craftsman known as 'Microsoft'.

Default settings of the 'gadget' are: restricted zone which means no active
x controls, no scripting, no file downloads etc.

This can all very easily be bypassed by simply embedding in a rich text
message our OLE object, one Windows Media Player. We then point our source
url to our media file which includes or now run-of -the mill 0s url flip
and simply by previewing or opening the email message invoke our device
known as Internet Explorer to proxy our manipulation of the recipient's
machine.

In typical fashion despite the settings in the Windows Media Player being
set to 'disallow' scripting in media files, despite Outlook 2003's 'highly'
secure default setting of view html content in the so-called 'restricted
zone'; it all still works !

[screen shot: http://www.malware.com/rockitman.png 46KB]

This now all automates our process and coupling it with our previous first
step finding:

[http://www.securityfocus.com/bid/10307]

all we need to do next is our second step and embed the entire package
including the media file into the mail message and send it along its merry
way.

The whole Outlook 2003 'gadget' is broken.

Working Example:

Simply view the mail message:

http://www.malware.com/rockIT.zip

Notes:

1. Miserable selection of full screen = true can allow us to run our
'video' in WMP full screen mode. How about that: forget about html spam
messages, now we have full screen video advertisements on opening the mail
message. 2. Tested on XP, 2K3 POP mail client settings Outlook 2003,
Exchange Server settings unknown at this time 3. Subject to initial WMP
settings a notification of connection settings can pop up, however
generally dismissed at first running of WMP along with neither yes or no
selection having an effect [as usual].
4. Firewalls should flag Outlook itself trying to escape out on port 80.
Nevertheless if all embedded no need for remote hosting. 5. Disable HTML
settings or get another mail client [better of the two as below]
6. Lots more where this came from


End Call

--
http://www.malware.com

--- BBBS/NT v4.01 Flag-5