Issue : Outlook Express address book allows
messages to be intercepted by 3rd party
Date Released : 16 March 2001
Vendor Notified : 16 March 2001
Affected : Outlook Exress 5.5SP1 and prior
Risk : Low/Average
Discovered : 18 December 2000 by 3APA3A
Remotely Exploitable : Yes
Vendor URL : http://www.microsoft.com
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories
It's possible for remote user to cause messages written for one e-mail
address to be delivered to another e-mail address.
Outlook Express has option "Automatically put people I reply to in my
address book". Then enabled, this option causes Outlook to make
automatically new address book entries mapping NAME of received
message to e-mail ADDRESS. Then message is composed Outlook Express
checks address book for NAME and sets complete e-mail ADDRESS instead.
Situation: 2 good users G1 and G2 with addresses [email protected] and
[email protected] and one bad user B, [email protected] Imagine B wants to get
messages G1 sends to G2. Scenario:
1. B composes message with headers:
From: "[email protected]" <[email protected]>
Reply-To: "[email protected]" <[email protected]>
To: G1 <[email protected]>
Subject: how to catch you on Friday?
and sends it to [email protected]
2. G1 receives mail, which looks absolutely like mail received from
[email protected] and replies it. Reply will be received by B. In this case
new entry is created in address book pointing NAME "[email protected]" to
ADDRESS [email protected]
3. Now, if while composing new message G1 directly types e-mail
address [email protected] instead of G2, Outlook will compose address as
"[email protected]" <[email protected]> and message will be received by B.
Disable "Automatically put people I reply to in my address book"
Microsoft was contacted, accepted problem and replied it's impossible
to fix it until next IE 5.5 SP.