December 19, 2000, 7:52 AM — WASHINGTON, D.C. -- If you're using Microsoft Outlook Express in Internet Explorer 5.0 for e-mail and you don't disable the ActiveX Controls feature, someone could send you a message that could wipe the files off your hard drive or put a new file onto it.
Last week Bulgarian computer consultant Georgi Guninski showed how the deceit can be done by embedding malicious script in an Internet mail message that can delete files while the victim is reading the message with Microsoft Outlook Express. This exploit takes advantage of ActiveX Controls, Microsoft's technology for executing a program on the Web, and doesn't appear to work with Internet Explorer 4.0.
"What Georgi did was create the 'nuclear e-mail message,' " claims Richard Smith, president of Cambridge, Mass., tools developer Phar Lap Software, who has kept close track of the security implications of ActiveX since Microsoft started developing the technology in the early 1990s.
"We have been anticipating something like this for years. In theory, it's no longer safe to read e-mail if you use Outlook Express," he says. "When you hear about browser exploits, think e-mail, too."
In his presentation at the Usenix security conference last week, Smith explained how Guninski's ploy works. The Outlook Express e-mail viewer reads HTML by default with Internet Explorer 5.0.
Guninski's "nuclear e-mail" takes advantage of an ActiveX Control called "Object for constructing type libraries for scriptlets," or "Scriptlet Type Lib" for short, that ships as part of Internet Explorer 5.0.
In this case, Guninski's malicious code instructs Internet Explorer 5.0's ActiveX Control to wipe out an entire hard drive if the attacker drops an executable to do so. The trick also can add files to the user's hard drive, regardless of the Microsoft browser's security settings.
"Microsoft has shipped from the factory an ActiveX Control marked 'safe for scripting,' which it shouldn't have," Smith says. For its part, Microsoft last week acknowledged the problem, although the company did not make its technical staff available to talk about it. A company spokeswoman did acknowledge the vulnerability means "you can drop an executable file into the system to do whatever you want. It could do anything."
Microsoft issued a statement advising users concerned about the problem to disable ActiveX Controls until the company releases a patch for its browser, hopefully later this week.
Guninski works as a security consultant for Netscape, which is now part of America Online. A spokeswoman there says Guninski was hired to review present and future Netscape products after discovering security problems in Netscape Communicator earlier this year. But she and Guninski denied Netscape was paying Guninski to crack Microsoft products.