(Microsoft Issues Fix) Microsoft Outlook Allows Rogue HTML to Execute Arbitrary Commands on the User's Host
SecurityTracker Alert ID: 1001987|
SecurityTracker URL: http://securitytracker.com/id/1001987
(Links to External Site)
Date: Jul 13 2001
Execution of arbitrary code via network, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Outlook 98, 2000 or 2002|
Georgi Guninski issued an advisory for Microsoft Outlook (part of Office XP), warning that it allows a web page or HTML-based e-mail message to cause arbitrary commands to be executed on the user's host.|
The vulnerability is reportedly due to a vulnerable ActiveX control "Microsoft Outlook View Control" that is apparently installed by Outlook. This control reportedly exposes a property named "selection", which gives access to the user's mail messages, and the Outlook "Application" object, which allows commands to be executed on the user's host.
A web page or HTML-based e-mail message could cause arbitrary commands to be executed on the user's host with the privileges of the user. This could also cause the user's e-mail to be viewed, modified, and/or deleted.|
The vendor has released a fix. See the Vendor URL for the vendor's advisory containing directions on how to obtain the appropriate fix.|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms01-038.asp (Links to External Site)
Access control error|
|Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Microsoft Security Bulletin MS01-038|
The following is a Security Bulletin from the Microsoft Product Security
Please do not reply to this message, as it was sent from an unattended
-----BEGIN PGP SIGNED MESSAGE-----
Title: Outlook View Control Exposes Unsafe Functionality
Date: 12 July 2001
Software: Outlook 98, 2000, and 2002
Impact: Run code of attacker's choice via either web page or HTML
Microsoft encourages customers to review the Security Bulletin at:
The Microsoft Outlook View Control is an ActiveX control that allows
Outlook mail folders to be viewed via web pages. The control should
only allow passive operations such as viewing mail or calendar data.
In reality, though, it exposes a function that could allow the web
page to manipulate Outlook data. This could enable an attacker to
delete mail, change calendar information, or take virtually any other
action through Outlook including running arbitrary code on the user's
Hostile web sites would pose the greatest threat with respect to this
vulnerability. If a user could be enticed into visiting a web page
controlled by an attacker, script or HTML on the page could invoke
the control when the page was opened. The script or HTML could then
use the control to take whatever action the attacker desired on the
user's Outlook data.
It also would be possible for the attacker to send an HTML e-mail to
a user, with the intent of invoking the control when the recipient
opened the mail. However, the Outlook E-mail Security Update, that
automatically installs as part of Outlook 2002 would thwart such an
attack. The Update causes HTML e-mails to be opened in the Restricted
Sites Zone, where ActiveX controls are disabled by default.
Microsoft is preparing a patch that will eliminate the vulnerability.
However, while this patch is under development, we recommend that
customers disable ActiveX controls in the Internet Zone to protect
against the web-based scenario discussed above. (The FAQ provides
information on how administrators can use Group Policy to make this
configuration change network-wide). To protect against the mail-borne
scenario, we strongly recommend that Outlook 98 and 2000 users
install the Outlook E-mail Security Update if they haven't already
done so. When the patch is complete, Microsoft will re-release this
bulletin and provide details on where to obtain the patch and how to
- The previously-released Outlook E-mail Security Update that is
integrated into Outlook 2002 would prevent this vulnerability from
being exploited via e-mail in all affected Outlook versions.
- The vulnerability provides no capability for the attacker to force
user to visit a web page that exploits it.
- A patch is available to fix this vulnerability. Please read the
for information on obtaining this patch.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.