If you're using Microsoft Outlook Express in Internet Explorer 5.0 for e-mail and you don't disable the ActiveX Controls feature, someone could send you a message that could wipe the files off your hard drive or put a new file onto it.
This week Bulgarian computer consultant Georgi Guninski showed how the deceit can be done by embedding malicious script in an Internet mail message that can delete files while the victim is reading the message with Microsoft Outlook Express. This exploit takes advantage of ActiveX Controls, Microsoft's technology for executing a program on the Web, and doesn't appear to work with Internet Explorer 4.0.
"What Georgi did was create the 'nuclear e-mail message,'" claims Richard Smith, president of Cambridge, Massachusetts tools developer Phar Lap Software, who has kept close track of the security implications of ActiveX since Microsoft started developing the technology in the early 1990s.
"We have been anticipating something like this for years. In theory, it's no longer safe to read e-mail if you use Outlook Express," he says. "When you hear about browser exploits, think e-mail, too."
In his presentation at the Usenix security conference this week, Smith explained how Guninski's ploy works. The Outlook Express e-mail viewer reads HTML by default with Internet Explorer 5.0.
Guninski's "nuclear e-mail" takes advantage of an ActiveX Control called "Object for constructing type libraries for scriptlets," or "Scriptlet Type Lib" for short, that ships as part of Internet Explorer 5.0.
In this case, Guninski's malicious code instructs Internet Explorer 5.0's ActiveX Control to wipe out an entire hard drive if the attacker drops an executable to do so. The trick also can add files to the user's hard drive, regardless of the Microsoft browser's security settings.
"Microsoft has shipped from the factory an ActiveX Control marked 'safe for scripting,' which it shouldn't have," Smith says. For its part, Microsoft has acknowledged the problem, although the company did not make its technical staff available to talk about it. A company spokeswoman did acknowledge the vulnerability means "you can drop an executable file into the system to do whatever you want. It could do anything."
Microsoft issued a statement advising users concerned about the problem to disable ActiveX Controls until the company releases a patch for its browser, hopefully later next week.
Guninski works as a security consultant for Netscape, which is now part of America Online. A spokeswoman there says Guninski was hired to review present and future Netscape products after discovering security problems in Netscape Communicator earlier this year. But she and Guninski denied Netscape was paying Guninski to crack Microsoft products.
The ActiveX e-mail escapade is just the latest in a long line of troubles associated with the technology, asserts Smith, who says about a dozen other ActiveX Controls written by Microsoft also need to be fixed.
Microsoft provides the tools to let others -- both the good guys and the bad guys -- write ActiveX Controls. Smith says he is concerned that ActiveX Controls are proliferating in a way largely unknown to users, as the Controls ship with a growing number of laptop, computer and software applications.
"These preinstalled ActiveX Controls are the ones I see as very dangerous," Smith says. "Active Controls are pretty difficult to write, and these are written by the good guys. I'm talking about Controls you never have the option not to install -- I call them 'accidental Trojans.'"For instance, the Hewlett-Packard Pavilion laptop comes with an ActiveX Control called "Launch," designed to be used with the HP "System Wizard" for system diagnostics. Smith thinks it offers a back door into the laptop.
Kodak's imaging software that ships with Windows 98 has a Control to override files. It looks like a GIF file in the directory, but it's actually an unsafe ActiveX Control, Smith contends. A Toshiba laptop Smith looked at came with about 1,000 preinstalled ActiveX Controls.
To locate ActiveX Controls, Microsoft makes a tool called OLE View, part of the Visual Studio and Visual C++ developer's kits.
Smith says that he and his colleagues have not found a large number of ActiveX Controls embedded on public Web sites, probably because of the numbers of users still running a Netscape browser, which doesn't run ActiveX, he surmises.