SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Client)  >   Microsoft Outlook Express Vendors:   Microsoft
Microsoft Outlook Express Again Executes Scripting Code in Plain Text E-mail Messages
SecurityTracker Alert ID:  1007306
SecurityTracker URL:  http://securitytracker.com/id/1007306
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 25 2003
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 5.5, 6.0
Description:   A recurrance of a previously fixed vulnerability was reported in Microsoft Outlook Express. A remote user can send scripting code in a plain text message that will execute on the target user's client.

http-equiv of malware.com reported that a remote user can embed HTML with active scripting code in a plain text e-mail message and send it to a Microsoft Outlook Express (OE) user. According to the report, OE will parse the HTML and execute the scripting code (if scripting is enabled on the target user's OE client), even though it is a plain text message.

The report indicates that OE 6 views messages in the "restricted zone" by default and also has an option to view messages in plain text, which mitigates this flaw.

This same issue was reported in September 2001 (Alert ID 1002413; CVE CAN-2001-0999) and was reportedly fixed some time ago and then reintroduced.

A demonstration exploit is provided:

MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Source: 25.07.03 http://www.malware.com

<img dynsrc=javascript:alert()><font color=red>foo
Impact:   A remote user can send HTML with scripting code in a plain text message to a target OE user, where the scripting code will be executed (if scripting is enabled).
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   State error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Fri, 25 Jul 2003 17:42:36 -0000
Subject:  TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")




Friday, July 25, 2003

Active Scripting and HTML in a plain text mail message: 

MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Source: 25.07.03 http://www.malware.com

<img dynsrc=javascript:alert()><font color=red>foo


The above is a legitimate RFC822 mail message in plain text. 
Ordinarily one would require an html mail message [Content-Type: 
text/html;] to parse html and scripting. The above functions under a 
plain text mail message in Outlook Express 6.00 and Outlook Express 
5.5 [perhaps others]. Outlook Exprss 6 has restricted zone as default 
as well as an option to read messages in plain text [use it !]. Other 
versions do not.

This was definitely fixed way back when:

[see: http://www.securityfocus.com/bid/3334 ]

And now appears to be back.

It can be of interest to admins who filter based on content type at 
the gateway, as well as newsgroup operators who do the same [less so 
as comprehensive].

Notes:

1. We're working on html in the 'plain text' zone of OE6 next.
2. None.


End Call

-- 
http://www.malware.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC