We’ve all heard the saying, “The only things guaranteed in life are death and taxes!” Well, some people are beginning to think that we need to add a third item to that list of sure things. “The only things guaranteed in life are death, taxes and new security vulnerabilities with each incarnation of Microsoft’s Office Suite.” Yesterday, noted Bulgarian security consultant, Georgi Guninski, went public with a security advisory for Office XP users that would allow a malicious web developer unencumbered access to a victim’s e-mails. Simply by visiting a web page or opening a web enabled e-mail message, an Outlook user would unwittingly expose not only Outlook, but also the entire Windows system to the attacker. Further testing by KeyLabs, and after a subsequent security bulletin issued by Microsoft, we now know that this vulnerability affects Outlook 98 and Outlook 2000 as well as Outlook 2002 (part of the Office XP suite).

At the heart of the problem is the new “Microsoft Outlook View Control.” This ActiveX control allows Outlook features (i.e. e-mails, folders, calendar events, or contacts) to be displayed in web pages. Originally intended to only allow passive operations such as viewing data, this control unintentionally grants privileged access, which would allow the hacker to manipulate data. This bug goes far beyond simply manipulating e-mail messages. In our testing with KeyLabs, BugNet was able to go so far as to delete files from the victim’s computer as well as run executables – all without user intervention.

ActiveX Exploit

Exploiting this vulnerability involves creating a web page or HTML-enabled e-mail message with the embedded Outlook View ActiveX control. Once invoked, the control allows the HTML code (and any subsequent scripts) to run with elevated privileges on the victim’s system.

The Outlook View ActiveX control installs by default with Office XP, but also affects Outlook 98 and Outlook 2000. In our tests we found that the ActiveX control will download and install automatically (after the users verifies the Microsoft certificate) when IE encounters the object in a web page.

Make no mistake; this is a serious security breach. So much so that Microsoft issued a security bulletin without having a patch available. At the time of this writing, Microsoft is preparing a patch that will eliminate this bug, but also warns users that in the meantime, they should disable ActiveX controls in the Internet Zone.

Installing the previously released Outlook E-mail Security Update would eliminate half of this vulnerability. This security update was created over a year ago in answer to the e-mail borne worms and viruses like ILY. Installing this patch would eliminate e-mail as a vehicle of attack, but wouldn’t prevent a web page from infiltrating the system. For that, you will need to adjust IE’s security settings.

Workaround is the Only Option

We strongly recommend that users adjust their security settings appropriately. One simple way to do this is to adjust the security setting for the Internet Zone to High. Do this by starting Internet Explorer and clicking on Tools > Internet Options > Security. Select the Internet Zone and move the Security Level slider bar all the way to the top. This will lock down IE and prevent ActiveX and other scripting from running in the browser.

Be aware that by selecting IE’s highest security setting, many legitimate web sites will not function properly in the browser. Adding these web sites to the trusted sites zone will let them function as designed, yet still protect your system from rogue web sites.