Alert: Microsoft Security Bulletin - MS03-003

• Previous message: Russ: "Alert: Microsoft Security Bulletin - MS03-002"
• Next in thread: Ben Koshy: "URGENT: New SQL Worm?"
• Reply: Ben Koshy: "URGENT: New SQL Worm?"
• Reply: Robert Boyle: "New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 22 Jan 2003 18:50:55 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS03-003.asp

Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure (812262)

Originally posted: January 22, 2003

Summary

Who should read this bulletin: Administrators of Microsoft Outlook 2002 systems using V1 Exchange Server Security certificates for encryption.

Impact of vulnerability: Information Disclosure

Maximum Severity Rating: Moderate

Recommendation: Administrators of Microsoft Outlook 2002 systems using V1 Exchange Server Security certificates for encryption should apply the patch immediately.

Affected Software:
- Microsoft Outlook 2002

End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-003.asp.

Technical description:

Microsoft Outlook 2002 provides the facility to encrypt e-mails sent between e-mail recipients. Encryption is used to prevent parties other than the intended recipients from reading the contents of an e-mail. Outlook uses public key certificates to facilitate the exchange of the cryptographic keys that are used in the encryption process, and Outlook offers a number of different options as to what type of certificates can be used. S/MIME certificates are the most commonly used (and are not affected by the vulnerability that is the subject of this bulletin), but there are other certificate options including V1 Exchange Server Security certificates.

A vulnerability exists because there is a flaw in the way Outlook 2002 handles a V1 Exchange Server Security certificate when using it to encrypt e-mail. As a result of this flaw, Outlook fails to encrypt the mail correctly and the message will be sent in plain text. This could cause the information in the e-mail to be exposed when the user believed it to be protected through encryption.

Mitigating factors:
- This vulnerability only affects encryption when a V1 Exchange Server Security certificate is used. S/MIME encryption, which is the most widely used form of e-mail encryption used by Outlook, is not affected.
- This vulnerability only affects Outlook 2002 and only when sending HTML e-mail.

Vulnerability identifier: CAN-2003-0007

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Next message: Ben Koshy: "URGENT: New SQL Worm?"
• Previous message: Russ: "Alert: Microsoft Security Bulletin - MS03-002"
• Next in thread: Ben Koshy: "URGENT: New SQL Worm?"
• Reply: Ben Koshy: "URGENT: New SQL Worm?"
• Reply: Robert Boyle: "New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Crypto Exporting.. ... If you use existing encryption features found in many ... For instance, Microsoft Outlook ... software,and even cryptographic consulting services still ... by or notification to BIS prior to export to most countries. ... (misc.news.internet.discuss) Re: Choosing encryption method? ... >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 ... >encryption already does. ... >> 1> Has to survive client's reinstalls - moving to another computer, ... >> 2> As secure as possible. ... (microsoft.public.dotnet.security) Re: Change OST compression? ... nor is it possible to change the encryption on an existing .pst file. ... Author of Configuring Microsoft Outlook 2003 ... setting on an existing OST? ... - Is there a way to change the default encryption setting for new OSTs? ... (microsoft.public.outlook.installation) Re: Encrypt and save in a file ... we're added support for XML Encryption in v2.0 of the framework. ... >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158 ... >"Sasha" wrote in message ... (microsoft.public.dotnet.security)