-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      E-mail Editor Flaw Could Lead to Script Execution on
            Reply or Forward (Q321804)
Date:       25 April 2002
Software:   Microsoft Outlook
Impact:     Run Code of Attacker's Choice
Max Risk:   Moderate
Bulletin:   MS02-021

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-021.asp.
- ----------------------------------------------------------------------

Issue:
======
Outlook 2000 and 2002 provide the option to use Microsoft Word as
the e-mail editor when creating and editing e-mail in either
Rich-Text or HTML format. A security vulnerability exists when
Outlook is configured this way and the user forwards or replies
to a mail from an attacker. 

The vulnerability results from a difference in the security
settings that are applied when displaying a mail versus editing
one. When Outlook displays an HTML e-mail, it applies Internet
Explorer security zone settings that disallow scripts from being
run. However, if the user replies to or forwards a mail message
and has selected Word as the e-mail editor, Outlook opens the mail
and puts the Word editor into a mode for creating e-mail
messages. Scripts are not blocked in this mode. 

An attacker could exploit this vulnerability by sending a
specially malformed HTML e-mail containing a script to an Outlook
user who has Word enabled as the e-mail editor. If the user
replied to or forwarded the e-mail, the script would then run,
and be capable of taking any action the user could take.

Mitigating Factors:
====================
 - The vulnerability only affects Outlook users who use Word as
   their e-mail editor. 

 - Users who have enabled the feature introduced in Office XP SP1
   to read HTML mail as plain text are not vulnerable. 

 - For an attacker to successfully exploit this vulnerability,
   the user would need to reply to or forward the malicious e-mail.
   Simply reading it would not enable the scripts to run, and the
   user could delete the mail without risk.

Risk Rating:
============
 - Internet systems: Low
 - Intranet systems: Low
 - Client systems: Moderate

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-021.asp
   for information on obtaining this patch.


- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPMiceI0ZSRQxA/UrAQEAPggAhzRC6GplwMQgZzLvwjqeFbD7EVWceP4c
i2RhrpUsOsh/eKOqDXMhXklVToBbBp7mg3xFvoXdYURU6cC2XKEvIA5teFac+80b
UvtlqGc4xLLcX++Ha7NjTqZYMkvYcjhwTpTanmkJ2pARix+AzLnURFicAftFl34k
VxkZ987igMpoUM2zexEpC9dGsPAMRhXPJnn0bvk8ETQE5r+XOo5DhI3lTo3hVogC
3XzP2RCmkgdanOSfQdhddBxRhJ9Vz7FxrYG4CTtl96VxIAfvfEbJzuASVpqbMt3g
1N6wI/K4UN1qTDLoqBZplZa0x+q8FzIjd9n2IxaDUtu2dkxhVIfBGQ==
=TxYz
-----END PGP SIGNATURE-----