Alert: Microsoft Security Bulletin - MS03-003
From: Russ (Russ.Cooper@RC.ON.CA)
Date: 01/23/03
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS03-002"
- Next in thread: Ben Koshy: "URGENT: New SQL Worm?"
- Reply: Ben Koshy: "URGENT: New SQL Worm?"
- Reply: Robert Boyle: "New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 Jan 2003 18:50:55 -0500 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
http://www.microsoft.com/technet/security/bulletin/MS03-003.asp
Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure (812262)
Originally posted: January 22, 2003
Summary
Who should read this bulletin: Administrators of Microsoft Outlook 2002 systems using V1 Exchange Server Security certificates for encryption.
Impact of vulnerability: Information Disclosure
Maximum Severity Rating: Moderate
Recommendation: Administrators of Microsoft Outlook 2002 systems using V1 Exchange Server Security certificates for encryption should apply the patch immediately.
Affected Software:
- Microsoft Outlook 2002
End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-003.asp.
Technical description:
Microsoft Outlook 2002 provides the facility to encrypt e-mails sent between e-mail recipients. Encryption is used to prevent parties other than the intended recipients from reading the contents of an e-mail. Outlook uses public key certificates to facilitate the exchange of the cryptographic keys that are used in the encryption process, and Outlook offers a number of different options as to what type of certificates can be used. S/MIME certificates are the most commonly used (and are not affected by the vulnerability that is the subject of this bulletin), but there are other certificate options including V1 Exchange Server Security certificates.
A vulnerability exists because there is a flaw in the way Outlook 2002 handles a V1 Exchange Server Security certificate when using it to encrypt e-mail. As a result of this flaw, Outlook fails to encrypt the mail correctly and the message will be sent in plain text. This could cause the information in the e-mail to be exposed when the user believed it to be protected through encryption.
Mitigating factors:
- This vulnerability only affects encryption when a V1 Exchange Server Security certificate is used. S/MIME encryption, which is the most widely used form of e-mail encryption used by Outlook, is not affected.
- This vulnerability only affects Outlook 2002 and only when sending HTML e-mail.
Vulnerability identifier: CAN-2003-0007
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Ben Koshy: "URGENT: New SQL Worm?"
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS03-002"
- Next in thread: Ben Koshy: "URGENT: New SQL Worm?"
- Reply: Ben Koshy: "URGENT: New SQL Worm?"
- Reply: Robert Boyle: "New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
