Microsoft Outlook Weak Security Enforcement When Editing Messages with Microsoft Word Lets Remote Users Send Malicious Code to Outlook Recipients That Will Be Executed When Forwarded or Replied To
|
Date: Apr 26 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2000, 2002
|
Description: A vulnerability was reported in Microsoft Outlook when Microsoft Word is used as the e-mail editor. A remote user could cause arbitrary code to be executed.
Microsoft reported that Outlook 2000 and 2002 are vulnerable when configured with the option to use Microsoft Word as the e-mail
editor when creating and editing e-mail in either Rich-Text or HTML formats. This configuration is apparently referred to as "WordMail".
A
remote user can send malicious mail to a target (victim) user so that when the target user replies to the mail or forwards the mail,
arbitrary code is executed. This is apparently possible because of a flaw in the security restrictions that the WordMail editor
applies when Outlook is editing a message (as opposed to reading it). Scripts are reportedly not blocked in this mode. The arbitrary
script that runs on the target user's computer would be able to take nearly any actions acting as that user.
The vendor reports
that you are not affected if you do not use Word as the e-mail editor within Outlook. Also, users of Office XP SP1 that have configured
their system to read HTML mail as plain text are not vulnerable.
|
Impact: A remote user can send HTML or RTF-based e-mail to a target user to cause arbitrary code to be executed on the target user's computer when the target user replies to or forwards the message.
|
Solution: The vendor has released a fix.
For Microsoft Word 2002:
Client Installation:
http://office.microsoft.com/downloads/2002/wrd1003.aspx
Administrative Installation:
http://www.microsoft.com/office/ork/xp/journ/wrd1003a.htm
For Microsoft Word 2000:
Client
Installation:
http://office.microsoft.com/downloads/2002/wrd0901.aspx
Administrative Installation:
http://www.microsoft.com/office/ork/xp/journ/wrd0901a.htm
This patch can reportedly be installed on systems running Office 2000 SR-1 or greater or Office XP SP-1 or greater. Microsoft
plans to include this fix any future service packs for Microsoft Office.
Microsoft plans to issue Knowledge Base article #Q321804
shortly, to be available at the Microsoft Online Support web site:
http://search.support.microsoft.com/kb/c.asp?SD=SO&LN=EN-US
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-021.asp (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Windows (Any)
|
Reported By: Russ <Russ.Cooper@RC.ON.CA>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 25 Apr 2002 20:30:18 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject: Alert: Microsoft Security Bulletin - MS02-021
|
http://www.microsoft.com/technet/security/bulletin/MS02-021.asp
E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward (Q321804)
Originally posted: April 25, 2002
Summary
Who should read this bulletin: Users of Microsoft® Outlook 2000 or Outlook 2002
Impact of vulnerability: Run Code of Attacker's Choice
Maximum Severity Rating: Moderate
Recommendation: Customers using WordMail should apply the patch immediately
Affected Software:
- Microsoft Outlook 2000
- Microsoft Outlook 2002
Technical description:
Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and
editing e-mail in either Rich-Text
or HTML format. A security vulnerability exists when Outlook is configured this way and the user for
wards or replies to a mail from
an attacker.
The vulnerability results from a difference in the security settings that are applied when displaying
a mail versus editing one.
When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disal
low scripts from being run.
However, if the user replies to or forwards a mail message and has selected Word as the e-mail edito
r, Outlook opens the mail and
puts the Word editor into a mode for creating e-mail messages. Scripts are not blocked in this mode
.
An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing
a script to an Outlook user who
has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script w
ould then run, and be capable
of taking any action the user could take.
Mitigating factors:
- The vulnerability only affects Outlook users who use Word as their e-mail editor.
- Users who have enabled the feature introduced in Office XP SP1 to read HTML mail as plain text are
not vulnerable.
- For an attacker to successfully exploit this vulnerability, the user would need to reply to or forw
ard the malicious e-mail. Simply
reading it would not enable the scripts to run, and the user could delete the mail without risk.
Vulnerability identifier: CAN-2002-1056
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatica
lly created, and since its been
a long time since anyone paid actual money for my programming skills, it may or may not look that go
od...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
|
|
