SecurityvulnsSECURITYVULNS:DOC:462Security Bulletin (MS00-045)
Microsoft Security Bulletin (MS00-045)
Patch Available for "Persistent Mail-Browser Link" Vulnerability
Originally Posted: July 20, 2000
Summary
Microsoft has released a patch that eliminates a security
vulnerability affecting Microsoft(r) Outlook Express. The
vulnerability could allow a malicious user to send an email that
would "read over the shoulder" of the recipient as he previews
subsequent emails in Outlook Express.
A patch is available that eliminates this vulnerability as well as
those discussed in Microsoft Security Bulletins MS00-043 and
MS00-046. Customers who already have taken the corrective action
discussed in either of these bulletins do not need to take any
additional action.
Frequently asked questions regarding this vulnerability and the
patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-045.asp
Issue
By design, HTML mail can contain script, and among the actions such a
script can take is to open a browser window that links back to the
Outlook Express windows. Also by design, script in the browser window
could read the HTML mail that is displayed in Outlook Express.
However, a vulnerability results because the link could be made
persistent. This could allow the browser window to retrieve the text
of mails subsequently displayed in the preview pane, and relay it to
the malicious user.
There are several significant restrictions on this vulnerability:
- Only the recipient could open the HTML mail that established
the link. - The attack would only persist until the user either closed
the browser window that the HTML mail opened, or closed
Outlook Express. - The malicious user could only read mails that were displayed
in the preview pane. If the preview pane feature were
disabled, he could not read mails under any conditions.
The vulnerability is eliminated in Outlook Express 5.5, and customers
who have installed it do not need to take any additional action.
Outlook Express 5.5 is available as part of Internet Explorer 5.01
Service Pack 1, and, except when installed on Windows 2000, Internet
Explorer 5.5. A patch is available for customers who prefer not to
upgrade to Outlook Express 5.5.
Affected Software Versions
- Microsoft Outlook Express 4.0
- Microsoft Outlook Express 4.01
- Microsoft Outlook Express 5.0
- Microsoft Outlook Express 5.01
Patch Availability
This vulnerability can be eliminated by taking any of the following
actions:
- Installing the patch available at
http://www.microsoft.com/windows/ie/download/critical/patch9.htm - Performing a default installation of Internet Explorer 5.01
Service Pack 1,
http://www.microsoft.com/Windows/ie/download/ie501sp1.htm. - Performing a default installation of Internet Explorer 5.5
(http://www.microsoft.com/windows/ie/download/ie55.htm)
on any system except Windows 2000.
Note: The patch requires IE 4.01 SP2
(http://www.microsoft.com/windows/ie/download/ie401sp2.htm) or
IE 5.01 (http://www.microsoft.com/windows/ie/download/ie501.htm)
to install. Customers who install this patch on versions other
than these may receive a message reading "This update does not
need to be installed on this system". This message is incorrect.
More information is available in KB article Q261255.
Note: In addition to eliminating the vulnerability at issue
here, the steps above also eliminate all vulnerabilities
discussed in Microsoft Security Bulletins MS00-043
(http://www.microsoft.com/technet/security/bulletin/MS00-043.asp)
and MS00-046
(http://www.microsoft.com/technet/security/bulletin/MS00-046.asp).
Customers who already have taken the corrective action discussed
in either of these bulletins do not need to take any additional
action.
Note: Additional security patches are available at the Microsoft
Download Center (http://www.microsoft.com/downloads).
More Information
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-045,
http://www.microsoft.com/technet/security/bulletin/fq00-045.asp - Microsoft Knowledge Base article Q261255 discusses this
vulnerability and will be available soon. - Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.
Revisions
- June 20, 2000: Bulletin Created.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
Last Updated July 20, 2000
(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.