SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Microsoft Outlook Vendors:   Microsoft
(Microsoft Issues Fix) Microsoft Outlook Allows Rogue HTML to Execute Arbitrary Commands on the User's Host
SecurityTracker Alert ID:  1001987
SecurityTracker URL:  http://securitytracker.com/id/1001987
CVE Reference:   CVE-2001-0538   (Links to External Site)
Date:  Jul 13 2001
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Outlook 98, 2000 or 2002
Description:   Georgi Guninski issued an advisory for Microsoft Outlook (part of Office XP), warning that it allows a web page or HTML-based e-mail message to cause arbitrary commands to be executed on the user's host.

The vulnerability is reportedly due to a vulnerable ActiveX control "Microsoft Outlook View Control" that is apparently installed by Outlook. This control reportedly exposes a property named "selection", which gives access to the user's mail messages, and the Outlook "Application" object, which allows commands to be executed on the user's host.

Impact:   A web page or HTML-based e-mail message could cause arbitrary commands to be executed on the user's host with the privileges of the user. This could also cause the user's e-mail to be viewed, modified, and/or deleted.
Solution:   The vendor has released a fix. See the Vendor URL for the vendor's advisory containing directions on how to obtain the appropriate fix.
Vendor URL:  www.microsoft.com/technet/security/bulletin/ms01-038.asp (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 12 2001 Microsoft Outlook Allows Rogue HTML to Execute Arbitrary Commands on the User's Host



 Source Message Contents

Subject:  Microsoft Security Bulletin MS01-038


The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Outlook View Control Exposes Unsafe Functionality
Date:       12 July 2001
Software:   Outlook 98, 2000, and 2002
Impact:     Run code of attacker's choice via either web page or HTML
            e-mail.
Bulletin:   MS01-038

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-038.asp.
- ----------------------------------------------------------------------

Issue:
======
The Microsoft Outlook View Control is an ActiveX control that allows
Outlook mail folders to be viewed via web pages. The control should
only allow passive operations such as viewing mail or calendar data.
In reality, though, it exposes a function that could allow the web
page to manipulate Outlook data. This could enable an attacker to
delete mail, change calendar information, or take virtually any other
action through Outlook including running arbitrary code on the user's
machine. 
Hostile web sites would pose the greatest threat with respect to this
vulnerability. If a user could be enticed into visiting a web page
controlled by an attacker, script or HTML on the page could invoke
the control when the page was opened. The script or HTML could then
use the control to take whatever action the attacker desired on the
user's Outlook data. 

It also would be possible for the attacker to send an HTML e-mail to
a user, with the intent of invoking the control when the recipient
opened the mail. However, the Outlook E-mail Security Update, that
automatically installs as part of Outlook 2002 would thwart such an
attack. The Update causes HTML e-mails to be opened in the Restricted
Sites Zone, where ActiveX controls are disabled by default. 

Microsoft is preparing a patch that will eliminate the vulnerability.
However, while this patch is under development, we recommend that
customers disable ActiveX controls in the Internet Zone to protect
against the web-based scenario discussed above. (The FAQ provides
information on how administrators can use Group Policy to make this
configuration change network-wide). To protect against the mail-borne
scenario, we strongly recommend that Outlook 98 and 2000 users
install the Outlook E-mail Security Update if they haven't already
done so. When the patch is complete, Microsoft will re-release this
bulletin and provide details on where to obtain the patch and how to
use it.

Mitigating Factors:
====================
 - The previously-released Outlook E-mail Security Update that is
   integrated into Outlook 2002 would prevent this vulnerability from
   being exploited via e-mail in all affected Outlook versions. 

 - The vulnerability provides no capability for the attacker to force
a
   user to visit a web page that exploits it. 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-038.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBO05fMI0ZSRQxA/UrAQF0mwf8CE7Dm+m3/9gddmmIaBVGeMokvuJRwJa5
qlJv45jy/0jbjqq6GyFwVHS//S4rUg9aXFn/XooCc9piGbJhmY+o3uWr9XxdeZ/A
0+Do6QauobjjOdaMzJuGJ31aqIDqiVZdL4h/JQU6j0+n7MUVQM4hqlsCJDXXWv4u
2kNkd8Vi0zb1GxIZwJLHStmNi5NicgePQcuk7UirmLdYi8eSyOTfpcIp5WT7u7L9
h+4boyabo7cqTO5JSAtvoiqJnF/ItdYxeBKSfq2fCZQDgPYsSQIkvdLwGyqV4qG7
mh9y/N6qFZo7GhAFuQRgyn+ALgll6+5T1ojkiWVaWfO460a5TSM41w==
=tRTd
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC