Computer Security
[EN] no-pyccku

Issue                   :  Outlook  Express  address  book allows
                           messages to be intercepted by 3rd party
Date Released           :  16 March 2001
Vendor Notified         :  16 March 2001
Affected                :  Outlook Exress 5.5SP1 and prior
Risk                    :  Low/Average
Discovered              :  18 December 2000 by 3APA3A
Remotely Exploitable    :  Yes
Vendor URL              :
SECURITY.NNOV advisories:


It's possible for remote user to cause messages written for one e-mail
address to be delivered to another e-mail address.


Outlook  Express has option "Automatically put people I reply to in my
address  book".  Then  enabled,  this  option  causes  Outlook to make
automatically  new  address  book  entries  mapping  NAME  of received
message  to  e-mail  ADDRESS. Then message is composed Outlook Express
checks address book for NAME and sets complete e-mail ADDRESS instead.


Situation:  2  good  users  G1  and  G2 with addresses [email protected] and
[email protected]  and  one  bad  user B, [email protected] Imagine B wants to get
messages G1 sends to G2. Scenario:

1. B composes message with headers:

From: "[email protected]" <[email protected]>
Reply-To: "[email protected]" <[email protected]>
To: G1 <[email protected]>
Subject: how to catch you on Friday?

and sends it to [email protected]

2.  G1  receives  mail, which looks absolutely like mail received from
[email protected]  and replies it. Reply will be received by B. In this case
new  entry  is  created in address book pointing NAME "[email protected]" to
ADDRESS [email protected]

3.  Now,  if  while  composing  new  message  G1 directly types e-mail
address  [email protected]  instead  of  G2, Outlook will compose address as
"[email protected]" <[email protected]> and message will be received by B.


Disable  "Automatically  put  people  I  reply to in my address  book"


Microsoft was contacted, accepted problem and replied it's impossible
to fix it until next IE 5.5 SP.


No yet.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod