Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft Outlook shell characters problem

  iDEFENSE Security Advisory 03.09.04: Microsoft Outlook "mailto:" Parameter Passing Vulnerability

From:MICROSOFT <secure_(at)_microsoft.com>
Date:10.03.2004
Subject:Microsoft Security Bulletin MS04-009

 Microsoft Security Bulletin MS04-009
 Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)
 
 Issued: March 9, 2004
 Version: 1.0
 
 Summary
 Who Should Read This Document:
 Customers that are using Microsoft® Office XP and Outlook 2002
 
 Impact of Vulnerability:
 Remote Code Execution
 
 Maximum Severity Rating:
 Important
 
 Recommendation:
 Customers should install the patch at the earliest opportunity.
 
 Security Update Replacement:
 None
 
 Caveats:
 None
 
 Tested Software and Security Update Download Locations:
 
 Affected Software
 
 • Microsoft Office XP Service Pack 2- Download the update
 
 • Microsoft Outlook 2002 Service Pack 2- Download the update
 
 
 Non Affected Software
 
 • Microsoft Office 2000 Service Pack 3
 
 • Microsoft Office XP Service Pack 3
 
 • Microsoft Office 2003
 
 • Microsoft Outlook 2000 Service Pack 3
 
 • Microsoft Outlook 2002 Service Pack 3
 
 • Microsoft Outlook 2003
 
 
 The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version.
 
 Top of section
 General Information
  Technical details
 
 Technical description:
 
 A security vulnerability exists within Outlook 2002 that could allow Internet Explorer to execute script code in the Local Machine zone on an affected system. The parsing of specially crafted mailto URLs by Outlook 2002 causes this vulnerability. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page.
 
 The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who successfully exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system. This code would run in the security context of the currently logged-on user. Outlook 2002 is available as a separate product and is also included as part of Office XP.
 
 Mitigating factors:
 
 • When an Outlook profile is first created and at least one e-mail account is set up during the initial configuration of the profile the default folder home page is automatically changed from "Outlook Today" to "Inbox."
 
 • Users are only at risk from this vulnerability when the "Outlook Today" home page is their default folder home page. This is the default configuration when an Outlook profile is created without any e-mail accounts.
 
 • Users are only at risk from this vulnerability when Outlook 2002 is configured as the default mail reader and when the "Outlook Today" home page is their default folder home page. Installing other e-mail clients may change this configuration as they can register themselves as the default mail reader on the system.
 
 • If an attacker exploited this vulnerability, the attacker would gain only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges.
 
 
 Severity Rating:
 
 Microsoft Office XP
  Important
 
 Microsoft Outlook 2002
  Important
 
 
 The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
 
 Vulnerability identifier: CAN-2004-0121
 
 Top of section
  Workarounds
 
 Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below.
 
 Do not use "Outlook Today" as the default home page in Outlook 2002
 
 You can help protect against this vulnerability by changing your default folder home page in Outlook 2002 to the "Inbox" or some other folder than "Outlook Today". The "Outlook Today" home page is only the default folder home page when an Outlook profile is originally configured without any e-mail accounts.
 
 1.
  In Outlook 2002, click Options in the Tools menu.
 
 2.
  Under the tab Other choose Advanced Options.
 
 3.
  Set your "Startup in this folder:" to Inbox if it is set to Outlook Today.
 
 
 Impact of Workaround:
 
 The "Outlook Today" folder home page would not be the default view.
 
 If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector
 
 Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-digitally-signed e-mail messages or non-encrypted e-mail messages in plain text only.
 
 Digitally-signed e-mail messages and encrypted e-mail messages are not affected by the setting and may be read in their original formats.
 
 See Microsoft Knowledge Base Article 307594 for information about how to enable this setting in Outlook 2002.
 
 See Microsoft Knowledge Base Article 291387for information about how to enable this setting in Outlook Express 6.0
 
 Impact of Workaround:
 
 E-mail that is viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. Additionally:
 
 • The changes are applied to the preview pane and to open messages.
 
 • Pictures become attachments to avoid loss of message content.
 
 • Because the message is still in Rich Text Format or in HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text Format or in HTML format in the mail store.
 
 
 Top of section
  Frequently asked questions
 
 What is the scope of the vulnerability?
 A privilege elevation vulnerability exists within Outlook 2002, and its handling of mailto URLs, that could allow Internet Explorer to execute script in the Local Machine Zone on an affected system. Outlook 2002 is available as a separate product and is also included as part of Office XP. An attacker who successfully exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system.
 Users are only at risk from this vulnerability when the "Outlook Today" home page is their default folder home page. The "Outlook Today" home page is only the default folder home page when an Outlook profile is originally configured without any e-mail accounts. When an Outlook profile is first created, for instance when Outlook is started for the first time, and at least one e-mail account is set up during the initial configuration of the profile the default folder home page is automatically changed from "Outlook Today" to "Inbox".
 
 What causes the vulnerability?
 The vulnerability is caused by the way a mailto URL is interpreted by Outlook 2002. By creating a specially formatted mailto URL it is possible to get Outlook 2002 to interpret the URL in a manner that could allow code execution.
 
 What is a mailto URL?
 The mailto URL scheme is defined in RFC 2368. The RFC states that "The mailto URL scheme is used to designate the Internet mailing address of an individual or service. In its simplest form, a mailto URL contains an Internet mail address. For greater functionality, because interaction with some resources may require message headers or message bodies to be specified as well as the mail address, the mailto URL scheme is extended to allow setting mail header fields and the message body."
 
 What might an attacker use the vulnerability to do?
 An attacker who successfully exploited this vulnerability could cause Internet Explorer to execute script in the Local Machine Zone on an affected system. An attacker who exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system.
 
 How could an attacker exploit this vulnerability?
 To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message.
 
 What systems are primarily at risk from the vulnerability?
 Users who use Outlook 2002 as their default e-mail client and who have "Outlook Today" as their default folder home page are primarily at risk from this vulnerability.
 
 I am using Outlook 2002, how do I know whether I am vulnerable?
 The "Outlook Today" home page is only the default folder home page when an Outlook profile is originally configured without any e-mail accounts. When an Outlook profile is first created, for instance when Outlook is started for the first time, and at least one e-mail account is set up during the initial configuration of the profile the default folder home page is automatically changed from "Outlook Today" to "Inbox".
 You can verify what default folder home page you have in Outlook by following these steps:
 
 1.
  In Outlook 2002, click Options in the Tools menu.
 
 2.
  Under the tab Other choose Advanced Options.
 
 3.
  "Startup in this folder:" would typically say "Inbox" but it could also be set to Outlook Today or any other Outlook folder.
 
 
 If the "Startup in this folder" is set to "Outlook Today" and you do use Outlook for e-mail then it is recommended that you instead set it to your "Inbox".
 
 Is Office 2000 or Office 2003 affected by this vulnerability?
 No. These versions have tested and have been found to not be affected by this vulnerability.
 
 Are any versions of Outlook Express affected by this vulnerability?
 No. However, if Outlook 2002 is configured as the default e-mail reader on that system, reading a malicious HTML e-mail message with any version of Outlook Express could allow the malformed mailto URL to be passed to Outlook 2002. For Outlook Express 6 Service Pack 1 or greater, reading e-mail message in plain text can be used as a work around for this type of attack. For more information please see the Workarounds section in this document.
 
 What does the update do?
 The update modifies the way that the mailto URL is processed by Outlook 2002.
 
 Top of section
  Security Update Information
 
 Installation Platforms and Prerequisites:
 
 For information about the specific security update for your platform, click the appropriate link:
 
  Outlook 2002 available separately and as a component of Office XP
 
 Note This update as well as many other updates to Office XP is included in Office XP Service Pack 3. Customers are encouraged to install Office XP Service Pack 3 at the earliest available opportunity.
 
 Prerequisites Administrative Update
 
 Windows Installer Update Requirements
 
 To install the update that is described in this bulletin requires Windows Installer 2.0 or later. Both Microsoft Windows XP and Microsoft Windows 2000 Service Pack 3 (SP3) include Windows Installer 2.0 or later. To install the latest version of the Windows Installer, visit one of the following Microsoft Web sites.
 
 • Windows Installer for Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows Millennium Edition (Me)
 
 • Windows Installer for Microsoft Windows NT 4.0 and Windows 2000
 
 
 Inclusion in service packs:
 
 This update issue is included in Office XP Service Pack 3.
 
 Installation Information for the Update
 
 If you installed your Office XP product from a server location, the server administrator must update the server location with the administrative update and deploy that update to your computer.
 
 1.
  Download the administrative version of the Outlook 2002 Security Update.
 
 2.
  Click Save to save the officexp-kb828040-fullfile-enu.exe file to the selected folder.
 
 3.
  In Windows Explorer, double-click officexp-kb828040-fullfile-enu.exe.
 
 4.
  If you are prompted to install the update, click Yes.
 
 5.
  Click Yes to accept the License Agreement.
 
 6.
  In the Type the location where you want to place the extracted files box, type c:\kb828040, and then click OK.
 
 7.
  Click Yes when you are prompted to create the folder.
 
 8.
  If you are familiar with the procedure for updating your administrative installation, click Start, and then click Run. Type the following command in the Open box
 
 msiexec /a Admin Path\MSI File /p C:\kb828040\MSP File SHORTFILENAMES=TRUE
 
 where Admin Path is the path to your administrative installation point for Office XP (for example, C:\OfficeXP), MSI File is the .msi database package for the Office XP product (for example, Proplus.msi), and MSP File is the name of the administrative update (for example, OUTLOOKff.msp).
 
 Note: You can append /qb+ to the command line so that the Office XP Administrative Installation dialog box and the End User License Agreement dialog box do not appear.
 
 
 Deployment Information
 
 To deploy the update to the client workstations, click Start, and then click Run. Type the following command in the Open box
 
 msiexec /i Admin Path\MSI File REINSTALL=Feature List REINSTALLMODE=vomu
 
 where Admin Path is the path to your administrative installation point for Office XP (for example, C:\OfficeXP), MSI File is the MSI database package for the Office XP product (for example, Proplus.msi), and Feature List is the list of feature names (case sensitive) that have to be reinstalled for the update. To install all features, you can use REINSTALL=ALL, or you can install the following feature(s):
 
 OUTLOOKNonBootFiles, OUTLOOKFiles
 
 For additional information about how to update your administrative installation and deploy to client workstations, click the following article number to view the article in the Microsoft Knowledge Base:
 
 301348 OFFXP: How to Install a Public Update to an Administrative Installation
 
 Restart Requirement
 
 No Restart required.
 
 Removal Information
 
 This security update can not be uninstalled.
 
 File Information
 
 The English version of this update has the file attributes (or later) that are listed in the following table.
 
 File Name Size Date File Version
 DLGSETP.DLL
  80,440
  9/12/2003
  10.00.5626.0000
 
 ENVELOPE.DLL
  109,128
  9/12/2003
  10.00.4817.0000
 
 EXCHCSP.DLL
  253,952
  9/12/2003
  10.00.5328.0000
 
 EXSEC32.DLL
  346,696
  9/12/2003
  10.00.4907.0000
 
 IMPMAIL.DLL
  137,800
  9/12/2003
  10.00.4406.0000
 
 OUTLCM.DLL
  543,288
  9/12/2003
  10.00.5424.0000
 
 OUTLCTL.DLL
  100,936
  9/12/2003
  10.00.5112.0000
 
 OUTLLIB.DLL
  6,322,744
  9/12/2003
  10.00.5709.0000
 
 OUTLMIME.DLL
  92,744
  9/12/2003
  10.00.4608.0000
 
 OUTLOOK.EXE
  47,672
  9/12/2003
  10.00.5709.0000
 
 OUTLPH.DLL
  121,400
  9/12/2003
  10.00.5703.0000
 
 RECALL.DLL
  47,688
  9/12/2003
  10.00.4721.0000
 
 
 To determine the version of Outlook that is installed on your computer, follow these steps.
 
 Note: Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
 
 1.
  Click Start, and then click Search.
 
 2.
  In the Search Results pane, click All files and folders under Search Companion.
 
 3.
  In the All or part of the file name box, type Outlook.exe, and then click Search.
 
 4.
  In the list of files, right-click Outlook.exe, and then click Properties.
 
 5.
  On the Version tab, determine the version of Outlook that is installed on your computer.
 
 
 For additional information about how to determine the version of Outlook 2002 on your computer, click the following article number to view the article in the Microsoft Knowledge Base:
 
 291331 HOW TO: Check the Version of Office XP
 
 Note: If the Outlook 2002 Security Update: KB828040 is already installed on your computer, you receive the following error message when you try to install Outlook 2002 Security Update: KB828040:
 
 This update has already been applied or is included in an update that has already been applied.
 
 Top of section
 Top of section
 Acknowledgments
 
 Microsoft thanks the following for working with us to help protect customers:
 
 • iDefense and Jouko Pynnönen for reporting the issue described in MS04-009.
 
 
 Obtaining other security updates:
 
 Updates for other security issues are available from the following locations:
 
 • Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
 
 • Updates for consumer platforms are available from the Windows Update Web site.
 
 
 Support:
 
 • Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates.
 
 • International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site.
 
 
 Security Resources:
 
 • The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
 
 • Microsoft Software Update Services
 
 • Microsoft Baseline Security Analyzer (MBSA)
 
 • Windows Update
 
 • Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog.
 
 • Office Update
 
 
 Systems Management Server (SMS):
 
 Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. Some software updates may require administrative rights following a restart of the computer.
 
 Disclaimer:
 
 The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
 
 Revisions:
 
 • V1.0 (March 9, 2004): Bulletin published
 
 

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod