Alert: Microsoft Security Bulletin - MS02-021

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 04/26/02


Date:         Thu, 25 Apr 2002 20:30:18 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-021.asp

E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward (Q321804)

Originally posted: April 25, 2002

Summary

Who should read this bulletin: Users of Microsoft® Outlook 2000 or Outlook 2002

Impact of vulnerability: Run Code of Attacker's Choice

Maximum Severity Rating: Moderate

Recommendation: Customers using WordMail should apply the patch immediately

Affected Software:
- Microsoft Outlook 2000
- Microsoft Outlook 2002

Technical description:

Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from an attacker.

The vulnerability results from a difference in the security settings that are applied when displaying a mail versus editing one. When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disallow scripts from being run. However, if the user replies to or forwards a mail message and has selected Word as the e-mail editor, Outlook opens the mail and puts the Word editor into a mode for creating e-mail messages. Scripts are not blocked in this mode.

An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take.

Mitigating factors:
- The vulnerability only affects Outlook users who use Word as their e-mail editor.
- Users who have enabled the feature introduced in Office XP SP1 to read HTML mail as plain text are not vulnerable.
- For an attacker to successfully exploit this vulnerability, the user would need to reply to or forward the malicious e-mail. Simply reading it would not enable the scripts to run, and the user could delete the mail without risk.

Vulnerability identifier: CAN-2002-1056

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor



Relevant Pages

  • RE: OT - 5 New Critical Updates for WinXPSP1 from WIndows Update
    ... Can anybody help me regarding Outlook express? ... Customers should consider applying the security update. ... Microsoft Windows XP and Microsoft Windows XP Service Pack 1 ... > Severity Ratings and Vulnerability Identifiers: ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress.stationery)
  • Re: OT - 5 New Critical Updates for WinXPSP1 from WIndows Update
    ... > message I get locked up and have to shut down Outlook. ... Customers should consider applying the security update. ... Microsoft Windows XP and Microsoft Windows XP Service Pack 1 ... >> This update resolves a public vulnerability. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress.stationery)
  • [NT] Outlook Express Cumulative Security Update (MS04-18)
    ... Get your security news from a reliable source. ... This update resolves a public vulnerability. ... If a user is running Outlook ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ...
    (Securiteam)
  • RE: OT - 5 New Critical Updates for WinXPSP1 from WIndows Update
    ... You seem to know a lot about outlook express. ... Microsoft Security Bulletin MS04-018 ... Microsoft Windows NT Server 4.0 Service Pack 6a ... Severity Ratings and Vulnerability Identifiers: ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress.stationery)
  • Re: Help with Office 2003 - Please
    ... I have seen that your e-mail editor settings can prompt Word to open ... Outlook opens there is a message to the effect that Word could not open ...
    (microsoft.public.office.misc)