<<snip details>>

This is a long-known issue with all Office applications that support
(by default) automatic HREF-ing (if making HTML) or other forms of
cross-referencing/web-linking. It is one of many, many examples of how
badly mis-named all those "smart" option thingamies are that the
marketroids so love demonstrating at product release shows and such...

In short, smart enough to initially recognize that you _may_ want this
to be an active link, but far too dumb to recognize that once such a
link has been created automatically, for many users much more smarts
are needed by the "smart" system should the user want to change the
link...
Well, that is a different issue.

A significant and valuable part of the _point_ of hyperlinks is that
the displayed text need not be a literal representation of the target
-- think about it for a moment...

Yes -- far too many people are so poorly trained in the workings of the
technology that they don't know to look past the surface display
(though there is a very strong human factors argument that the they
should not need to), that the status bar is there for a reason (though,
of course, the technologists had to eff-up even that by allowing active
content in the "data" alter the status bar display), and so on, but
some folk still smoke (and worse) tobacco (and worse) products, so
maybe that is an intractable problem for some (hopefully small-ish
proportion of the population.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Hello, Bakchodiya!
This "bug" is a standard feature of HTML (including, of course, HTML
messages): you may specify any URL in <a href="..."> regardless of link
text. This is a wide-spreaded trick for phishing, and you haven't
discovered the America ;)

But at the same time Outlook (prior to 2003) really is more vulnerable
than some other mail clients because it doesn't show a real link URL to
user. Outlook 2003 shows an URL as a tooltip but after short delay, and
some impatient users may be phished.

I prefer to use Mozilla Mail/Thunderbird, it shows a real URL in status
bar instantly and moreover has a phishing detection algorithm (Mozilla
bug #279191). Especially I like a "View -> Message body as -> Simple
HTML" feature which removes any little bit danger HTML tags and
attributes from message before showing it but saves hypertext logical
formatting.

Outlook does that when composing an email in HTML format, where you can have
any name associated to a link with a <a href> tag.

The example you give is something like <a href="http://www.cybertrion.com">
http://www.foo-labs.info</a>

Regards,
--
Domingos Bruges

-----Original Message-----
From: Bakchodiya [mailto:***@yahoo.com]
Sent: quarta-feira, 18 de Maio de 2005 21:28
To: ***@securityfocus.com
Cc: full-***@lists.grok.org.uk
Subject: Security issue in Microsoft Outlook

An issue has been discovered in MS Outlook (All
Versions) where anyone can fake a URL & send it
across.

How does it work:

Lets compose an email in MS Outlook, lets type


http://www.cybertrion.com & put a space after it to
make it a link. Now put your cursor just before
cybertrion & type any URL for eg:
http://www.foo-labs.info now send it to anyone. The
receiver will see the URL as http://www.foo-labs.info
but when he clicks on it it will directly take him to
http://www.cybertrion.com

I am not sure how critical this is but it can fool
alot of people & result in download of a virus.

For more details and Discovered by:
Cybertrion Systems,
http://www.cybertrion.com



__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Sorry to shoot you down, but this isn't a security issue at all. You can
do the same thing by typing some text, highlighting it, right-clicking,
clicking Hyperlink, and typing an address.

On the receiving end, the client will get:
<a href="http://www.foo-labs.info">http://www.cybertrion.com</a>
which is perfectly fine. They'll see after they click on the link that
they're going to foo-labs. At that point, it's out of Outlook's hands.

Now, if Outlook showed in the mouseover the cybertrion.com link, then
they would be a problem, but it appears to be working fine on Outlook
2003. Haven't tested previous versions, but this seems like it's
"working as designed".

Regards,

Michael Scovetta
Computer Associates
Senior Application Developer


-----Original Message-----
From: Bakchodiya [mailto:***@yahoo.com]
Sent: Wednesday, May 18, 2005 4:28 PM
To: ***@securityfocus.com
Cc: full-***@lists.grok.org.uk
Subject: Security issue in Microsoft Outlook

An issue has been discovered in MS Outlook (All
Versions) where anyone can fake a URL & send it
across.

How does it work:

Lets compose an email in MS Outlook, lets type


http://www.cybertrion.com & put a space after it to
make it a link. Now put your cursor just before
cybertrion & type any URL for eg:
http://www.foo-labs.info now send it to anyone. The
receiver will see the URL as http://www.foo-labs.info
but when he clicks on it it will directly take him to
http://www.cybertrion.com

I am not sure how critical this is but it can fool
alot of people & result in download of a virus.

For more details and Discovered by:
Cybertrion Systems,
http://www.cybertrion.com



__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You can also do that by adjusting the properties of the link. In the
same way you can take any text and make it into a link. If you view mail
in plain text only then it wont effect you.

The link text/actual url is an HTML anchor tag: <a
href="url.you.go.to">text you see</a>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)

iD8DBQFCi89Gidl9XSzz+O4RAhLqAJ9n6iEvijjfuXbLkJ+PRxCthL3QiQCgldil
7mAXuAkqjy/36BJLqF7vTmE=
=Aw8q
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

How is this any different than having the text of a link say something other
than the URL? This is possible in HTML (in any application) and Microsoft
Office application. For example, go into Word and type "some text" then
highlight it, and press Ctrl+K. Then type in the URL you want. This is now a
hyperlink. Also note that the tool tip should show the correct link.

This is essentially the same as the following HTML:
<A HREF="http://evil">http://safe</A>

Tom
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Microsoft Outlook uses HTML to display its messages, this is just a feature
of that. No different than setting up link redirection and hiding the
ultimate destination on a webpage. Additionally it is simliar to having the
alternate text, address and extra info about a link modified in the status
bar of a browser.

I see no security problem here, and if you feel like avoiding this problem
completely just disable theh display of HTML code in the messages you
recieve with Microsoft Outlook.

Regards,

Simon Dever
IT Consultant
Australia

_________________________________________________________________
Sell your car for $9 on carpoint.com.au
http://www.carpoint.com.au/sellyourcar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

you can also do it with HTML.
eg. <a href="http://www.cybertrion.com">http://www.foo-labs.info</a>
and in addition u can change the text wich is shown when the cursor is
over the link:
<a href="http://www.cybertrion.com"
alt="http://www.foo-labs.info">http://www.foo-labs.info</a>

Sorry for my bad english.

Doesn't seem to be a problem in Outlook 2003. I made one for
http://www.vncscan.com and then followed your instructions to change it
to www.hackme.com and it still went to hackme.com.

- Steve Bostedor
http://www.vncscan.com
The Real VNC Manager
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

I could not reproduce this using Outlook
2000(9.0.0.2711)

FYI
Mario Moreno


-------------
...everyone thinks of changing the world, but few think of changing themselves. -L. Tolstoy



__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I must be missing something here. When I create an email with outlook with
http://www.cybertrion.com<sp> and then arrow back to in front of cybertrion and enter
http://www.foo-labs.info my url ends up looking like
http://www.http://www.foo-labs.infocybertrion.com and that is what get's sent and received by the
recipient. I'm apparently not doing this correctly or maybe it's in the way you have your Outlook
editing set up.

Kevin

Bakchodiya wrote:
| An issue has been discovered in MS Outlook (All
| Versions) where anyone can fake a URL & send it
| across.
|
| How does it work:
|
| Lets compose an email in MS Outlook, lets type
|
|
| http://www.cybertrion.com & put a space after it to
| make it a link. Now put your cursor just before
| cybertrion & type any URL for eg:
| http://www.foo-labs.info now send it to anyone. The
| receiver will see the URL as http://www.foo-labs.info
| but when he clicks on it it will directly take him to
| http://www.cybertrion.com
|
| I am not sure how critical this is but it can fool
| alot of people & result in download of a virus.
|
| For more details and Discovered by:
| Cybertrion Systems,
| http://www.cybertrion.com
|
|
|
| __________________________________
| Do you Yahoo!?
| Yahoo! Mail - Find what you need with new enhanced search.
| http://info.mail.yahoo.com/mail_250
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCjJTIaXZlxDxYaM4RAk66AKDFKYLZWnJ14OhPbbdtAkQyZcc1CQCg9SXz
n8AW/b0d7lvoHZbX8qzM9zg=
=rPud
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Erm... do you *want* to admit to 'discovering' this? ;-)

Joachim

Wow. MS really fucked up on this one.

FYI, though, I've confirmed this vulnerability on Outlook 2003, IE6,
and, shockingly, Mozilla Thunderbird, Firefox, Opera, and Safari. In
fact, it almost seems as if *every* browser or other application that
renders HTML has this "feature" of displaying the text inside a <a> tag!

I, for one, am shocked and apalled that anyone could be so irresponsible
as to write such a vulnerability into production code. By allowing
links in their HTML pages, application writers make it trivially easy to
trick viewers into visiting web sites they didn't intend to! This can
lead to phishing attacks, viruses, widespread panic, and mass hysteria!

Severity ranking: High!

PS: If you weren't talking about just changing the link text, I
apologize for the above sarcasm.

That's exactly what I said earlier. The thing is this is NOT outlook
specific, ANY program that allows HTML is subject to this. <a
href=someurl>fake name</a> This is far from a security risk, HTML is a
feature not a bug.

David Corn
Security Consultant
Covetrix, IT Consulting Group
http://www.covetrix.com
Phone: 214-575-9583 x116
Fax: 214-575-9584


-----Original Message-----
From: Scovetta, Michael V [mailto:***@ca.com]
Sent: Wednesday, May 18, 2005 5:42 PM
To: Bakchodiya; ***@securityfocus.com
Cc: full-***@lists.grok.org.uk
Subject: RE: Security issue in Microsoft Outlook

Sorry to shoot you down, but this isn't a security issue at all. You can
do the same thing by typing some text, highlighting it, right-clicking,
clicking Hyperlink, and typing an address.

On the receiving end, the client will get:
<a href="http://www.foo-labs.info">http://www.cybertrion.com</a>
which is perfectly fine. They'll see after they click on the link that
they're going to foo-labs. At that point, it's out of Outlook's hands.

Now, if Outlook showed in the mouseover the cybertrion.com link, then
they would be a problem, but it appears to be working fine on Outlook
2003. Haven't tested previous versions, but this seems like it's
"working as designed".

Regards,

Michael Scovetta
Computer Associates
Senior Application Developer


-----Original Message-----
From: Bakchodiya [mailto:***@yahoo.com]
Sent: Wednesday, May 18, 2005 4:28 PM
To: ***@securityfocus.com
Cc: full-***@lists.grok.org.uk
Subject: Security issue in Microsoft Outlook

An issue has been discovered in MS Outlook (All
Versions) where anyone can fake a URL & send it
across.

How does it work:

Lets compose an email in MS Outlook, lets type


http://www.cybertrion.com & put a space after it to
make it a link. Now put your cursor just before
cybertrion & type any URL for eg:
http://www.foo-labs.info now send it to anyone. The
receiver will see the URL as http://www.foo-labs.info
but when he clicks on it it will directly take him to
http://www.cybertrion.com

I am not sure how critical this is but it can fool
alot of people & result in download of a virus.

For more details and Discovered by:
Cybertrion Systems,
http://www.cybertrion.com



__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

I was not able to duplicate this.

Typing over the existing URL replaced both the displayed and link text.

Could anyone else duplicate?

Keenan

-----Original Message-----
From: Bakchodiya [mailto:***@yahoo.com]
Sent: Wednesday, May 18, 2005 4:28 PM
To: ***@securityfocus.com
Cc: full-***@lists.grok.org.uk
Subject: Security issue in Microsoft Outlook


An issue has been discovered in MS Outlook (All
Versions) where anyone can fake a URL & send it
across.

How does it work:

Lets compose an email in MS Outlook, lets type


http://www.cybertrion.com & put a space after it to
make it a link. Now put your cursor just before
cybertrion & type any URL for eg:
http://www.foo-labs.info now send it to anyone. The
receiver will see the URL as http://www.foo-labs.info
but when he clicks on it it will directly take him to
http://www.cybertrion.com

I am not sure how critical this is but it can fool
alot of people & result in download of a virus.

For more details and Discovered by:
Cybertrion Systems,
http://www.cybertrion.com



__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

I was able to duplicate. After creating the url link, I put the cursor
right after the 'www.' And typed in the 'foo-labs.info'. Then I delete
everything after 'info' and sent it. The link read foo-labs and went to
cybertrion.


-David











-----Original Message-----
From: full-disclosure-***@lists.grok.org.uk
[mailto:full-disclosure-***@lists.grok.org.uk] On Behalf Of Micheal
Espinola Jr
Sent: Monday, May 23, 2005 1:13 PM
To: full-***@lists.grok.org.uk
Subject: Re: [Full-disclosure] RE: Security issue in Microsoft Outlook

I was not able to duplicate this with Outlook 2003. Both URLs were
visible, only the cybertrion URL was hotlinked, with no space
inbetween the two. i.e.:

http://www.foo-labs.infohttp://www.cybertrion.com
text.
--
ME2 <http://www.santeriasys.net/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/