Microsoft Security Advisory MS02-021 - Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from an attacker. This could be exploited by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take. Microsoft FAQ on this issue available here.
af9c8675fffa8910762ed27d32e08eb80905d4226158a10cdc3c91975f932db5
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: E-mail Editor Flaw Could Lead to Script Execution on
Reply or Forward (Q321804)
Date: 25 April 2002
Software: Microsoft Outlook
Impact: Run Code of Attacker's Choice
Max Risk: Moderate
Bulletin: MS02-021
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-021.asp.
- ----------------------------------------------------------------------
Issue:
======
Outlook 2000 and 2002 provide the option to use Microsoft Word as
the e-mail editor when creating and editing e-mail in either
Rich-Text or HTML format. A security vulnerability exists when
Outlook is configured this way and the user forwards or replies
to a mail from an attacker.
The vulnerability results from a difference in the security
settings that are applied when displaying a mail versus editing
one. When Outlook displays an HTML e-mail, it applies Internet
Explorer security zone settings that disallow scripts from being
run. However, if the user replies to or forwards a mail message
and has selected Word as the e-mail editor, Outlook opens the mail
and puts the Word editor into a mode for creating e-mail
messages. Scripts are not blocked in this mode.
An attacker could exploit this vulnerability by sending a
specially malformed HTML e-mail containing a script to an Outlook
user who has Word enabled as the e-mail editor. If the user
replied to or forwarded the e-mail, the script would then run,
and be capable of taking any action the user could take.
Mitigating Factors:
====================
- The vulnerability only affects Outlook users who use Word as
their e-mail editor.
- Users who have enabled the feature introduced in Office XP SP1
to read HTML mail as plain text are not vulnerable.
- For an attacker to successfully exploit this vulnerability,
the user would need to reply to or forward the malicious e-mail.
Simply reading it would not enable the scripts to run, and the
user could delete the mail without risk.
Risk Rating:
============
- Internet systems: Low
- Intranet systems: Low
- Client systems: Moderate
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-021.asp
for information on obtaining this patch.
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPMiceI0ZSRQxA/UrAQEAPggAhzRC6GplwMQgZzLvwjqeFbD7EVWceP4c
i2RhrpUsOsh/eKOqDXMhXklVToBbBp7mg3xFvoXdYURU6cC2XKEvIA5teFac+80b
UvtlqGc4xLLcX++Ha7NjTqZYMkvYcjhwTpTanmkJ2pARix+AzLnURFicAftFl34k
VxkZ987igMpoUM2zexEpC9dGsPAMRhXPJnn0bvk8ETQE5r+XOo5DhI3lTo3hVogC
3XzP2RCmkgdanOSfQdhddBxRhJ9Vz7FxrYG4CTtl96VxIAfvfEbJzuASVpqbMt3g
1N6wI/K4UN1qTDLoqBZplZa0x+q8FzIjd9n2IxaDUtu2dkxhVIfBGQ==
=TxYz
-----END PGP SIGNATURE-----