Ordinarily, when a Microsoft Outlook user clicks on a file that was attached to an email message, the program will ask whether the user really wants to open or save the attachment. However, under the new type of attack, Outlook will go ahead and execute the potentially malicious program without asking permission.
The vulnerability smoothes the way for a new type of email-borne virus, also called a Trojan horse, and other malicious software.
The attack works by disguising the true identity of an email attachment so Outlook assumes the attached file is benign, said the discoverer, Juan Carlos Garcia Cuartango, a Spanish researcher who has found several other weaknesses in the past. The masquerade works because Outlook doesn't examine files with certain "extensions," the three-letter filename suffixes such as "doc" or "gif."
"Outlook does not care about what the real attachment contains. It only cares about the attached file suffix," Cuartango said in an email.
Microsoft was unable to comment on the vulnerability by press time.
"I think it's very severe," said Elias Levy, chief technology officer of Security Focus, a company that monitors computer security problems. "It could be used to create something just as bad or even worse than Melissa," a virus that swept the Internet in March.
To protect against the problem, Security Focus recommends changing the default location for temporary files from TEMP or TMP to some other, unpredictable location. "You can also disable Javascript," the company said.
The Melissa virus was successful largely because it automatically sent copies of itself using Microsoft Outlook email software. Since its emergence, several other variants have emerged. Melissa proved a bonanza for antivirus companies, even though their software initially failed to detect the virus.
Cuartango notified Microsoft of the vulnerability on October 15. The problem affects Microsoft Outlook Express 4 and 5, Outlook 98, and Outlook 2000, Levy said. There aren't reports of any active attacks using the vulnerability, Levy said.
Email with a malicious payload attached is a popular new method of attacking computers. Indeed, US West's internal network had to be shut down for an evening about two weeks ago because of a Melissa-like attack.
But the basic problem isn't being fixed by companies such as Microsoft and Netscape, Levy believes.
"Cuartango and [fellow bug catcher Georgi] Guninski have shown we just have this cycle. They find a bug, the vendor patches it, a week goes by, and they find another one," Levy said. "We have to look beyond that at what's fundamentally wrong here: We have programs such as Web browsers and email clients that connect to an untrusted network from which they receive data they do not trust."
Levy believes the solution is to adopt a method used by the military in which programs run in a safe zone within the computer--a cordoned-off area where the programs have minimum privileges and can't do any damage. Sun Microsystems has taken steps in this direction with its "sandbox" area, Levy said, but there still is room for attacks that don't use Java and companies have had some difficulties in making sure Java works like it's supposed to.
The Unix operating system, which is supposed to restrict the actions of computer tasks not run by the system administrator, is better than Windows, "but definitely not the solution either," Levy said.
The way the new vulnerability works is through a series of disguises, Levy said. First, the malicious program is converted into a Microsoft archive format called a "cab" file. Then, the cab file is renamed with an extension of a file type that Outlook isn't concerned with, such as "jpg," "mov," or "txt," then emailed as an attachment.
When the victim clicks on the attachment, the cab file is decompressed and its contents saved to a specific location. The last stage occurs when a Javascript program in the email then can execute the potentially malicious program that was contained in the cab file.
Play video
There are currently no comments for this post.