Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: m-073.txt

Microsoft Outlook Email Editor Vulnerability (CIAC M-073)




             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                 Microsoft Outlook E-mail Editor Vulnerability
                     [Microsoft Security Bulletin MS02-021]

April 26, 2002 15:00 GMT                                          Number M-073
______________________________________________________________________________
PROBLEM:       A security vulnerability exists when Outlook is configured to 
               use Microsoft Word as the e-mail editor and the user forwards 
               or replies to a mail from an attacker. 
PLATFORM:      Systems using the following applications for e-mail: 
               Microsoft Outlook 2000 
               Microsoft Outlook 2002 
DAMAGE:        An attacker could exploit this vulnerability by sending a 
               specially malformed HTML e-mail containing a script to an 
               Outlook user who has Word enabled as the e-mail editor. If the 
               user replied to or forwarded the e-mail, the script would then 
               run, and be capable of taking any action the user could take. 
SOLUTION:      Apply the patch supplied by vendor. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. For an attacker to successfully exploit 
ASSESSMENT:    this vulnerability, the user would need to reply to or forward 
               the malicious e-mail. Simply reading it would not enable the 
               scripts to run, and the user could delete the mail without 
               risk. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-073.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-021.asp 
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS02-021 *****]

Microsoft Security Bulletin MS02-021 

E-mail Editor Flaw Could Lead to Script Execution on Reply or 
Forward (Q321804)
Originally posted: April 25, 2002

Summary
Who should read this bulletin: Users of Microsoft® Outlook 2000 
or Outlook 2002 

Impact of vulnerability: Run Code of Attacker's Choice 

Maximum Severity Rating: Moderate 

Recommendation: Customers using WordMail should apply the patch 
immediately 

Affected Software: 

Microsoft Outlook 2000 
Microsoft Outlook 2002 

Technical details
Technical description: 

Outlook 2000 and 2002 provide the option to use Microsoft Word as 
the e-mail editor when creating and editing e-mail in either 
Rich-Text or HTML format. A security vulnerability exists when 
Outlook is configured this way and the user forwards or replies 
to a mail from an attacker. 

The vulnerability results from a difference in the security settings 
that are applied when displaying a mail versus editing one. When Outlook 
displays an HTML e-mail, it applies Internet Explorer security zone 
settings that disallow scripts from being run. However, if the user 
replies to or forwards a mail message and has selected Word as the 
e-mail editor, Outlook opens the mail and puts the Word editor into 
a mode for creating e-mail messages. Scripts are not blocked in this 
mode. 

An attacker could exploit this vulnerability by sending a specially 
malformed HTML e-mail containing a script to an Outlook user who has 
Word enabled as the e-mail editor. If the user replied to or forwarded 
the e-mail, the script would then run, and be capable of taking any 
action the user could take. 

Mitigating factors: 

The vulnerability only affects Outlook users who use Word as their 
e-mail editor. 

Users who have enabled the feature introduced in Office XP SP1 to read 
HTML mail as plain text are not vulnerable. 

For an attacker to successfully exploit this vulnerability, the user 
would need to reply to or forward the malicious e-mail. Simply reading 
it would not enable the scripts to run, and the user could delete the 
mail without risk. 

Severity Rating:  
		Internet Servers	Intranet Servers	Client Systems 
Outlook 2000 	None 			None 			Moderate 
Outlook 2002 	None 			None 			Moderate 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. The e-mail recipient 
must be using Word as their e-mail editor and choose to reply to or 
forward a specially malformed HTML e-mail received from an attacker. 

Vulnerability identifier: CAN-2002-1056 

Tested Versions:
Microsoft tested Outlook 2000 and Outlook 2002 to assess whether they 
are affected by this vulnerability. Previous versions are no longer 
supported, and may or may not be affected by these vulnerabilities.


Patch availability
Download locations for this patch 
Microsoft Word 2002: 
Client Installation: http://office.microsoft.com/downloads/2002/wrd1003.aspx 
Administrative Installation: http://www.microsoft.com/office/ork/xp/journ/wrd1003a.htm 
Microsoft Word 2000: 
Client Installation: http://office.microsoft.com/downloads/2002/wrd0901.aspx 
Administrative Installation: http://www.microsoft.com/office/ork/xp/journ/wrd0901a.htm 

Additional information about this patch

Installation platforms: 
This patch can be installed on systems running Office 2000 SR-1 or greater
or Office XP SP-1 or greater. 

Inclusion in future service packs:
The fix for this issue will be included in any future service packs for 
Office 

Reboot needed: No. 

Superseded patches: None. 

Verifying patch installation: 

Word 2002:
Verify that the version number of Winword.exe is 10.4009.3501 
Word 2000:
Verify that the version number of Winword.exe is 9.0.6328 

Caveats:
None 

Localization:
Localized versions of this patch are under development. When completed, 
they will be available at the locations discussed in "Obtaining other 
security patches". 

Obtaining other security patches: 
Patches for other security issues are available from the following 
locations: 

Security patches are available from the Microsoft Download Center, and can 
be most easily found by doing a keyword search for "security_patch". 
Patches for consumer platforms are available from the WindowsUpdate web 
site. All patches available via WindowsUpdate also are available in a 
redistributable form from the WindowsUpdate Corporate site. 

Other information: 
Support: 

Microsoft Knowledge Base article Q321804 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. 
Knowledge Base articles can be found on the Microsoft Online Support web 
site. Technical support is available from Microsoft Product Support 
Services. There is no charge for support calls associated with security 
patches. Security Resources: The Microsoft TechNet Security Web Site 
provides additional information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, even 
if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

Revisions: 

V1.0 (April 25, 2002): Bulletin Created. 

[***** End Microsoft Security Bulletin MS02-021 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-064: Cisco web interface vulnerabilities in ACS for Windows
M-065: Red Hat Race Conditions in "logwatch"
M-066: Microsoft Cumulative Patch for Internet Information Services (IIS) Vulnerabilities
M-067: SGI Mail, mailx, sort, timed, and gzip Vulnerabilities
M-068: Microsoft IE and Office for Macintosh Vulnerabilities
M-069: Microsoft SQL Server Unchecked Buffer Vulnerabilities
CIACTech02-003: Protecting Office for Mac X Antipiracy Server Ports
M-070: Apache HTTP Server on Win32 Vulnerability
M-071: Oracle9i User Privileges Vulnerability
M-072: FreeBSD stdio File Descriptors Vulnerability



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH