OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Russ (Russ.CooperRC.ON.CA)
Date: Thu Apr 25 2002 - 19:30:18 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    http://www.microsoft.com/technet/security/bulletin/MS02-021.asp

    E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward (Q321804)

    Originally posted: April 25, 2002

    Summary

    Who should read this bulletin: Users of Microsoft® Outlook 2000 or Outlook 2002

    Impact of vulnerability: Run Code of Attacker's Choice

    Maximum Severity Rating: Moderate

    Recommendation: Customers using WordMail should apply the patch immediately

    Affected Software:
    - Microsoft Outlook 2000
    - Microsoft Outlook 2002

    Technical description:

    Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from an attacker.

    The vulnerability results from a difference in the security settings that are applied when displaying a mail versus editing one. When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disallow scripts from being run. However, if the user replies to or forwards a mail message and has selected Word as the e-mail editor, Outlook opens the mail and puts the Word editor into a mode for creating e-mail messages. Scripts are not blocked in this mode.

    An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take.

    Mitigating factors:
    - The vulnerability only affects Outlook users who use Word as their e-mail editor.
    - Users who have enabled the feature introduced in Office XP SP1 to read HTML mail as plain text are not vulnerable.
    - For an attacker to successfully exploit this vulnerability, the user would need to reply to or forward the malicious e-mail. Simply reading it would not enable the scripts to run, and the user could delete the mail without risk.

    Vulnerability identifier: CAN-2002-1056

    This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

    I can only hope that the information it does contain can be read well enough to serve its purpose.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor