Software bugs chew through Microsoft IE, Outlook

The software giant is investigating a trio of bugs that analysts say could open the door to "Love" bug-grade security scenarios.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
Microsoft is investigating a trio of software bugs that analysts say could open the door to "Love" bug-grade security scenarios.

The security holes affect combinations of Microsoft products including its Internet Explorer browser, Outlook productivity software suite, Outlook Express email client, Visual Basic programming language, Access database application, PowerPoint slide presentation software, Excel spreadsheet software, and ActiveX technology for linking desktop applications such as these with the Web.

The first two Microsoft bugs, identified by veteran bug hunter Georgi Guninski, exploit the same technologies that were at the root of the "I Love You" virus and its mutants earlier this year.

Taking advantage of lax security restrictions in Microsoft's Outlook Express email program, those viruses quickly swept the Internet by efficiently disseminating a Visual Basic script. Scripts are lines of code that execute actions on a computer, generally without a person's interaction.

Microsoft recently shored up those products against security abuses, stopping certain scripts from running automatically and applying "security zone" restrictions on incoming Outlook email.

But Outlook remains vulnerable, according to security analysts, who recently discovered several ways to mount attacks through the program.

"This would make for a great little Melissa- or I Love You-type worm," said Bugtraq moderator and SecurityFocus.com analyst Elias Levy. "It allows you by sending an email message to execute code on a machine. It could be used to install a back door to steal files from your computer or to create a worm. Once you can execute code in someone's computer, you are in control."

In the first security hole, Internet vandals could use ActiveX controls to embed Visual Basic scripts in Access files when victims visit maliciously designed Web pages or open maliciously designed HTML email. The exploit, which forces IE to download the Access file and open it along with the Visual Basic code, can yield "full control" of the victim's computer, according to Guninski.

The exploit uses frames, windows within HTML email windows, to evade Microsoft's new security zone restrictions.

Guninski posted a demonstration on his Web site.

Guninski's second bug demonstrates a similar vulnerability with PowerPoint and Excel.

The trouble with Excel and PowerPoint 2000, Levy explained, is that they come with new ActiveX controls that let a Web page save files anywhere on the computer, including the start-up directory. In that scenario, the file will run when the computer reboots and will run as a local file with security clearance to do anything.

ActiveX has long been implicated in potential security scenarios.

"ActiveX controls have to be careful that they can't really do anything dangerous like overwriting files, executing arbitrary files, or making new files," Levy said.

Microsoft's third security bug affects IE, Outlook and Outlook Express, according to a report posted to the Bugtraq security mailing list. The problem lies in the way Microsoft's applications download files: In some cases, the applications will download files even if the recipient has tried to deny or cancel the download.

Like the first two security holes, the exploit works either through a Web page or an HTML message, according to the report.

In a complementary security risk, the applications download files to the local temporary, or "temp," directory without randomly generating a name for that file, as they normally would. That makes files easily accessible to an attacker who could plant them there and use an ActiveX control to find and execute them.

Levy said the twofold approach gives attackers a powerful tool.

"With this combination, you can download an executable onto someone's machine knowing the file name and then use an ActiveX control to execute it," Levy said. "Because it was downloaded by the end user, you can do anything."

Levy said Microsoft would need to fix the applications to ensure executable temp files are given random names and executables are deleted immediately when recipients opt to cancel downloads.

Sources close to Microsoft said the company is working on a patch for a related issue in which temp files were being assigned known file names. The company is in the process of figuring out whether that patch would address the new temp file issue.

Microsoft declined to comment further than to say it is investigating the three security holes.

The Bugtraq report recommended that people disable active scripting or ActiveX functionality.