Vista's Windows Mail vulnerable to file-execution attack

Vista's Windows Mail vulnerable to file-execution attack

Summary: A design error in Microsoft's Windows Mail, the e-mail application bundled into Windows Vista, could expose users to remote file-execution attacks, according to a warning from security researchers.A hacker known as "Kingcope" published proof-of-concept code to show that remote code execution is possible if a user is tricked into clicking a malicious link.

TOPICS: Windows

A design error in Microsoft's Windows Mail, the e-mail application bundled into Windows Vista, could expose users to remote file-execution attacks, according to a warning from security researchers.

A hacker known as "Kingcope" published proof-of-concept code to show that remote code execution is possible if a user is tricked into clicking a malicious link.

The error is that Windows Mail will execute any executable file if a folder exists with the same name.

"For example the victim has a folder in C: named blah and a batch script named blah.bat also in C:. Now if the victim clicks on a link in the email message with the URL target set to C:lah the batch script is executed without even asking," Kingcope explained.

If a UNC path is employed in an attack, then no local files are required to be present for this issue to be exploited.

A successful attack can facilitate remote code execution and result in unauthorized access in the context of the vulnerable user.

Microsoft is investigating Kingcope's claim but a spokesman made it clear the company was "not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time."

"Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary," the spokesman said in an e-mailed statement.

Topic: Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • LOL

    And gee they just got a nice report just yesterday! Little premature eh?! ]:)
    Linux User 147560
    • Yawn (NT)

      John Zern
      • Aw, was izzums up late last night baby sitting your Windows machines?

        Linux User 147560
        • John Zern = John Zero

          He's another No_Axe...just as clueless.
        • i say the same thing ho hum not much to read

          i say the same thing ho hum not much to read so they found a hole big deal..

          i mean if it was 27 28 i might have or even 5 i might have been wowed but as it is this article sucks..

          at least give me something i can sink my teeth into and as far as sleep i slept like a baby.

          if you have your anti virus uptodate and i'm sure they have all ready checked this out it's not a problem at all...

          so like i said ho hum
          SO.CAL Guy
        • nobody

          nobody likes a fanboy.

          i use linux a lot and you make me want to hide the fact, lest someone mistake me for someone who's having a sexual relationship with his operating system.
    • Reply to LOL

      Linux had 208 vulnerabilities for the same period with an average patch time of 58 days, a huge increase on the 42 patched vulnerabilities for the first half of the year.

      Apple's Mac OS X had 43 vulnerabilities--more than double the number for the first half of 2006--and an average patch time of 66 days.

      I'm not too sure I would be LOL at this point. As the OS grows and becomes more popular the hacks will invade it! And gee look at the patch time!
      • Of those 208 how many were

        actual OS vulns? Be very careful here... ]:)
        Linux User 147560
        • Be careful? What's up with that?

          My point is that as systems evolve and get popular they become targets of...... No slight to any users of Linux or other open source.....
          • You really don't get it do you

            You think that Linux security is the same lamer security that Microsoft uses on Windows, and you base your silly judgments of what might happen to Linux in a similar situation to Windows, on how Microsoft has designed security on Windows.
            tracy anne
          • If you think....

            No browser no matter who makes it is secure in this day and age. there are ways to get in. If a hack wants they can. I included the report of hits while not as ugly as MS it is starting on the platform. Hacks are after IDs these days not just planting virus', etc. I am not a MS diehard! I've been in the business for 32 years and witnessed their bufoonery and arrogant additude! Please don't pretend your so knowlegeable!
            ....that it can't be touched your only fooling yourself. Fool me once shame on you, fool me twice shame on me!
          • It seems that if you...

            Take an average Windows person who goes and installs a whole bunch of programs from the internet even if they were told it might contain malware and they installed anyway, their computer is compromised.

            What happens if you take that same user and put them on a Mac? Well they will find similar software for the Mac install it, type in the admin password, giving that program the access to your system to do whatever it was programmged to do.

            Now what about that same user on Linux? Well again if they downloaded a program, and it was designed to wreck havok on your computer, and you installed it, typing in any passwords you needed to, then I guess Linux would also be compromised

            My point? If a Windows person willfully downloads malware/spyware/viruses then I guess, they will do the same on any system, and they would still have the same problems.

            The OS has little to do with it. I have been telling my Brother-in law and Sister for years not to download certain programs and they do it any way, and then complain when they get porn pop-ups or viruses. I set them up with a Linux machine, 1 month later they were getting pretty bad stuff as well.

            We need to concentrate on educating users, not blamming an OS.
            Yes I have a Linux, Mac, and Windows PC. I even still have my Windows 3.11 computer, which has never crashed on me.
      • I should've included this too

        But almost one-third of the 39 Windows holes were high severity, and 20 were medium severity. Just two of the 208 Red Hat Linux security holes discovered were high severity, with 130 medium severity and 70 low severity. Only one of the Mac OS X holes was considered high severity, with 31 classed as medium and 11 as low severity.

        The report found that Windows also had the most vulnerabilities with exploit code and exploit activity, which Symantec claims may be one explanation why Microsoft has been pressured to develop and issue patches more quickly than other vendors.

        Mozilla Web browsers, such as Firefox, are also more secure than Microsoft's Internet Explorer, according to the report.

        It found 54 holes in IE during the second half of 2006, with one of these being of high severity, compared with 40 holes in Mozilla browsers, which had no high-severity vulnerabilities. Only four holes were found in the Safari and Opera browsers over the same period
  • Don't consider it alone

    If there's any vulnerabilities that allow dropping of files, then this is easily exploited.
  • Gues you missed the part

    about the code not needing to be local...

    Oh, that's right. It can't be used in a "business attack" since it's not Outlook. Wrong.

    Many employees are forbidden to use corporate email for personal traffic. Thus an alternative client is always used to slip under the radar unless the company's real big and has the resources, expereince and knowledge to block those ports at the gateway. A lot of small to mid-size companies, like my employer, don't.

    Further, families with home networking, one of vista's selling points, could also be vulnerable.

    No one vulnerability, unless its real egregious, is all that important. But take a serious flaw like this and use a couple of other tricks and you may have a real problem.

    Poo-pooing this is not very responsible.
    • poo-poo

      I'm going to continue to poo-poo this minor problem because it deserves it.

      What kind of company doesn't have the resources to block POP3 mail at the firewall? The "getting my home mail" scenario is far better, and more commonly-served by webmail.

      For a UNC on a home network they'd need to know your computer names. Is this supposed to be a mass-attack, or do you envision a targeted attack against your home network, preceded by intelligence gathering about the file layouts on the various computers?
      Larry Seltzer
      • Apparently you didn't read my post

        My company does not block POP3 mail. And a large number of small outfits that bought into the "SBS2003 can run your business" malarkey don't as well.

        You can poo poo all you want - it's your britches.
  • I already thought about that

    A UNC can point to any machine on the internet.

    The attacker could set up a SMB share which allows anonymous access on a hacked computer anywhere on the net and link to it like this...


    It's not a *super* critical vulnerability, but it's still serious and should be fixed ASAP.
    • \\\

      Any firewall will block this SMB share, assuming the attack even works off of servers outside the domain.

      This is at least a better idea than just to presume that there must be ways to drop files too.
      Larry Seltzer
      • You are not getting it

        * Miscreant takes over box with no firewall - or disables the firewall.
        * Miscreant sets up SMB share on owned box and places trojan.exe on it.
        * Miscreant sends email out with link to trojan on SMB share.

        Most home firewalls only block incoming traffic and do SPI for outgoing traffic, so most everyone can connect to a share that is hosted somewhere out on the net.