Alert: Microsoft Security Bulletin - MS02-021
From: Russ (Russ.Cooper@RC.ON.CA)Date: 04/26/02
- Previous message: Russ: "Re: Q267861 and TSE SRP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Apr 2002 20:30:18 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
http://www.microsoft.com/technet/security/bulletin/MS02-021.asp
E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward (Q321804)
Originally posted: April 25, 2002
Summary
Who should read this bulletin: Users of Microsoft® Outlook 2000 or Outlook 2002
Impact of vulnerability: Run Code of Attacker's Choice
Maximum Severity Rating: Moderate
Recommendation: Customers using WordMail should apply the patch immediately
Affected Software:
- Microsoft Outlook 2000
- Microsoft Outlook 2002
Technical description:
Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from an attacker.
The vulnerability results from a difference in the security settings that are applied when displaying a mail versus editing one. When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disallow scripts from being run. However, if the user replies to or forwards a mail message and has selected Word as the e-mail editor, Outlook opens the mail and puts the Word editor into a mode for creating e-mail messages. Scripts are not blocked in this mode.
An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take.
Mitigating factors:
- The vulnerability only affects Outlook users who use Word as their e-mail editor.
- Users who have enabled the feature introduced in Office XP SP1 to read HTML mail as plain text are not vulnerable.
- For an attacker to successfully exploit this vulnerability, the user would need to reply to or forward the malicious e-mail. Simply reading it would not enable the scripts to run, and the user could delete the mail without risk.
Vulnerability identifier: CAN-2002-1056
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
- Previous message: Russ: "Re: Q267861 and TSE SRP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
