[NT] Microsoft Multiple E-Mail Client Address Spoofing Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 04/10/05

  • Next message: SecuriTeam: "[UNIX] RadBids Multiple Vulnerabilities" 
    To: list@securiteam.com
Date: 10 Apr 2005 17:50:08 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft Multiple E-Mail Client Address Spoofing Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.microsoft.com/outlook/> Microsoft Outlook provides an
    integrated solution for managing and organizing e-mail messages,
    schedules, tasks, notes, contacts, and other information. Remote
    exploitation of an address spoofing vulnerability in various Microsoft
    Corp. e-mail clients could allow attackers to social engineer sensitive
    information from end users.

    DETAILS

    Vulnerable Systems:
     * Microsoft Outlook as distributed with Office XP and 2003 as well as
    Outlook Web Access as distributed with Exchange 2003 have been confirmed
    as vulnerable. Prior versions are suspected to be affected as well

    Immune Systems:
     * Microsoft Outlook Express is not affected by this issue

    Microsoft Outlook and Microsoft Outlook Web Access (OWA) are widely
    deployed collaboration clients in corporate networks. The vulnerability
    specifically exists in message header parsing and allows an attacker to
    spoof the "From" field that is displayed on the user's screen. Within the
    SMTP header, when the From field contains multiple comma-separated
    addresses, Outlook and OWA will only display the first address. Consider
    the following example header:

    From: support@your.company, Phisher <phisher@attackers.domain>

    Outlook and OWA will only display the address "support@your.company" as
    the sender address. While server-side e-mail spoofing is a known matter,
    this issue is relevant as it exists within the client. Consider the
    following example: A corporate SMTP server is configured to drop all mail
    received from the external network claiming to be from an internal
    address. By exploiting this issue, an attacker can bypass the imposed
    restrictions and transmit a message that appears to come from an internal
    user. This attack, combined with social engineering, could potentially
    lead to further compromise.

    Workaround:
    Examine the full mail headers of any suspicious e-mail messages prior to
    taking described actions or following live links.

    Vendor Status:
    Microsoft has reviewed the issue and has made the determination that while
    a bug fix may be implemented in a future service pack, a security
    advisory/patch will not be released for this issue.

    Disclosure Timeline:
    01/21/2005 - Initial vendor notification
    01/24/2005 - Initial vendor response
    04/08/2005 - Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?type=vulnerabilities>
    http://www.idefense.com/application/poi/display?type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] RadBids Multiple Vulnerabilities"