Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2846
HistoryApr 26, 2002 - 12:00 a.m.

Security Bulletin MS02-021: E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward (Q321804)

2002-04-2600:00:00
vulners.com
14

Title: E-mail Editor Flaw Could Lead to Script Execution on
Reply or Forward (Q321804)
Date: 25 April 2002
Software: Microsoft Outlook
Impact: Run Code of Attacker's Choice
Max Risk: Moderate
Bulletin: MS02-021

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-021.asp.


Issue:

Outlook 2000 and 2002 provide the option to use Microsoft Word as
the e-mail editor when creating and editing e-mail in either
Rich-Text or HTML format. A security vulnerability exists when
Outlook is configured this way and the user forwards or replies
to a mail from an attacker.

The vulnerability results from a difference in the security
settings that are applied when displaying a mail versus editing
one. When Outlook displays an HTML e-mail, it applies Internet
Explorer security zone settings that disallow scripts from being
run. However, if the user replies to or forwards a mail message
and has selected Word as the e-mail editor, Outlook opens the mail
and puts the Word editor into a mode for creating e-mail
messages. Scripts are not blocked in this mode.

An attacker could exploit this vulnerability by sending a
specially malformed HTML e-mail containing a script to an Outlook
user who has Word enabled as the e-mail editor. If the user
replied to or forwarded the e-mail, the script would then run,
and be capable of taking any action the user could take.

Mitigating Factors:

  • The vulnerability only affects Outlook users who use Word as
    their e-mail editor.

  • Users who have enabled the feature introduced in Office XP SP1
    to read HTML mail as plain text are not vulnerable.

  • For an attacker to successfully exploit this vulnerability,
    the user would need to reply to or forward the malicious e-mail.
    Simply reading it would not enable the scripts to run, and the
    user could delete the mail without risk.

Risk Rating:

  • Internet systems: Low
  • Intranet systems: Low
  • Client systems: Moderate

Patch Availability:


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.