Vista flaws - let the games begin
Micro$oft’s most secure OS (since it’s last “most secure OS”).
If this bug is legit, then it proves that Microsoft is more worried about the appearance of security than security itself.
Can I get an “input validation!”
From Full Disclosure:
Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
From: Kingcope
Date: Fri, 23 Mar 2007 08:52:09 +0100Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
Successfully Tested on Windows Vista UltimateGreetings fly out to Alex,wtfomg,Thierry,Andi and Blackzero
Description
Windows Mail is the default Mail Client of Microsoft Windows Vista.Vulnerability
Remote Code Execution is possible if a user clicks on a malicious prepared link.Vistas Mail Client will execute any executable file if a folder exists with the same name.
For example the victim has a folder in C:\ named blah and a batch script named blah.bat also in C:\. Now if the victim clicks on a link in the email message with the URL target set to C:\blah the batch script is executed without even asking.
There is for example a CMD script by default in C:\Windows\System32\ named winrm.cmd (and also a folder named winrm inside System32).
Exploit:
Send a HTML email message containing the URL:
<a href=”c:/windows/system32/winrm?”>Click here!
or
<a href=”c:/windows/system32/migwiz?”>Click here!
and winrm.cmd/migwiz.exe gets executed without asking for permission.
These are just examples.
Later posts indicate that UNC paths work as well, but require an acknowledgment from the user.
After a few days of using Vista, users will be “ok” happy on any alert box.
In setting up a Vista box for a friend, I was particularly concerned about having to click “ok” THREE times to delete ONE file!
PWNT by the M$FT man.
Bill