SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Microsoft Outlook Vendors:   Microsoft
(Microsoft Issues Updated Fix) Microsoft Outlook Allows Rogue HTML to Execute Arbitrary Commands on the User's Host
SecurityTracker Alert ID:  1002207
SecurityTracker URL:  http://securitytracker.com/id/1002207
CVE Reference:   CVE-2001-0538   (Links to External Site)
Date:  Aug 17 2001
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Outlook 98, 2000 or 2002
Description:   Georgi Guninski issued an advisory for Microsoft Outlook (part of Office XP), warning that it allows a web page or HTML-based e-mail message to cause arbitrary commands to be executed on the user's host.

The vulnerability is reportedly due to a vulnerable ActiveX control "Microsoft Outlook View Control" that is apparently installed by Outlook. This control reportedly exposes a property named "selection", which gives access to the user's mail messages, and the Outlook "Application" object, which allows commands to be executed on the user's host.

Impact:   A web page or HTML-based e-mail message could cause arbitrary commands to be executed on the user's host with the privileges of the user. This could also cause the user's e-mail to be viewed, modified, and/or deleted.
Solution:   The vendor has released an update fix. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 12 2001 Microsoft Outlook Allows Rogue HTML to Execute Arbitrary Commands on the User's Host



 Source Message Contents

Subject:  Microsoft Security Bulletin MS01-038 (version 2.0)


The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

This is a multi-part message in MIME format.

------_=_NextPart_001_01C126B3.023CB950
Content-Type: text/plain;
        charset="US-ASCII"
Content-Transfer-Encoding: 8bit            


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Outlook View Control Exposes Unsafe Functionality
Released:   12 July 2001
Revised:    16 August 2001 (version 2.0)
Software:   Outlook 2002, 2000, and 98
Impact:     Run code of attacker's choice
Bulletin:   MS01-038

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-038.asp.
- ----------------------------------------------------------------------

Reason for Revision:
====================
The original version of the bulletin advised customers of a
workaround procedure that could be used while a patch was under
development.  We have now completed the patch, and have re-released
this bulletin to advise customers of its availability.

Issue:
======
On July 12, 2001, Microsoft released the original version of this
bulletin, to advise customers of a vulnerability affecting Microsoft
Outlook and to recommend that they temporarily use an administrative
procedure to protect their systems. A patch that eliminates the
vulnerability is now available. An updated version of the bulletin
was released on August 16, 2001, to announce the availability of the
patch and to advise customers that the administrative procedure is no
longer needed. 

The Microsoft Outlook View Control is an ActiveX control that allows
Outlook mail folders to be viewed via web pages. The control should
only allow passive operations such as viewing mail or calendar data.
In reality, though, it exposes a function that could allow the web
page to manipulate Outlook data. This could enable an attacker to
delete mail, change calendar information, or take virtually any other
action through Outlook including running arbitrary code on the user's
machine. 

Hostile web sites would pose the greatest threat with respect to this
vulnerability. If a user could be enticed into visiting a web page
controlled by an attacker, script or HTML on the page could invoke
the control when the page was opened. The script or HTML could then
use the control to take whatever action the attacker desired on the
user's Outlook data. 

It also would be possible for the attacker to send an HTML e-mail to
a user, with the intent of invoking the control when the recipient
opened the mail. However, the Outlook E-mail Security Update, that
automatically installs as part of Outlook 2002 would thwart such an
attack. The Update causes HTML e-mails to be opened in the Restricted
Sites Zone, where ActiveX controls are disabled by default.

Mitigating Factors:
====================
 - The newly-released Outlook E-mail Security Update that is
integrated
   into Outlook 2002 would also prevent this vulnerability from being
   exploited via e-mail in all affected Outlook versions.

 - The vulnerability provides no capability for the attacker to force
a
   user to visit a web page that exploits it. 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-038.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBO3xkSI0ZSRQxA/UrAQHSjQf/aWgDy/LTwpN2bkmPP5Dxx9/5ZEfjxLT0
9JDvWseC2SgNO/kYqrwRfKBBMSZGgX6Fb6EtX5UcW61OnxjftWJF9C4mUktsJEMu
3YsRBDLZySPlMvMRjNLixfL5KNVjOv0fMDjdh45d7i5JUqpTc5eTd6A/kzK7lNW+
BOcWWPe5+ofhpaZJZFlCy9uC1t5KDeB9tYsmKKpf6iJXBlOyw1WsdE1ctpAPWw04
nzwIerS6+gYsmQ9IxtnnUjuuCDbZeGp9eUJxuae4kBwvsM5wVJBBQajmQexXyQ0J
R9DrlSN5+DoWJo739g7I4RQwSlpmBW5Vf2gsQTKTmBcCQjdNjK6PbA==
=8+Mv
-----END PGP SIGNATURE-----


------_=_NextPart_001_01C126B3.023CB950
Content-Type: application/octet-stream;
        name="PGPexch.htm.asc"
Content-Transfer-Encoding: base64
Content-Description: PGPexch.htm.asc
Content-Disposition: attachment;
        filename="PGPexch.htm.asc"

LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tDQpWZXJzaW9uOiBQR1AgNy4xDQoNCm93RzlXR3VN
RzFjVkprU0FpcWhVU2t1aFFIVzdSS0VRUC9ZUmtqYlpYVEcyWjlkRGJJL2pHZTltU3dqY0hWK3YN
Ckx4blBUT2ZlV1dkYmZzQVBDTTlDcXdhUWdpSVF2eXF4TFZLUmFQc0QxRkJhSGlKdGVha0lLZUlm
cGFEOFFHb1INCnFxQ2NjMmZHajJSZktCR1dkbTNQM0hQT2Q3N3puWFB2K0l1N2J0NzlwbDJIUDkw
cWYvWGR4azBUdTEvWnQydFgNCjg3cTN2QjRjMmZlYjk1ei94ZHEvYmp1K2UrSHZ0OURweXRUN0wx
NTRydktIZlQvKzFST25yM3Z2VDc3d3JUTy8NCi91MzYrb1hQZlAvTW4yOTVZa21hTjM1KzhWSis2
dkVIWDJ5Y2VOdlpCNThKN3IzMStaZkxsMTc1V3VIaStaYysNCitaZm5uenEzZCt3Q08vUzU5VWZm
ZCtKUDU5YWZIUC9Hd1h0UDN6cnhxditkUFg4N09Idm1qa3N2UGZlT3h3cjMNCkZjNnozOTN6MmVz
LzBuM2crTE1mdi9DdXNuZjIxUDdGSDN6bzI3LzhCUHVtK2VqNU4vNHMrdEw4WDhVTjdXUGkNCjZZ
ZC91dmJrMDFNUGZPeWhQZjg1K3ZCNmJUNXo5TkxqWHo1TGpydjNFL3Q3cForMzMvbDY1eXN2dkhy
alAvWi8NCjZxWnplOC84OExGZGVrRTc4ZTluWDNNZTR0TXYvL1BjWGQvZDg4S2JuN21CMzdZNFFl
OTdyZmYyUnlaZlBQMzcNClBaVkg3aGNYdi83SEg2M2YvSlI4QTc2bWJ5K1pSWHVwcnBPeVhhMlFl
ck5RTVlwa0xKdlBMMDRWOC9tU1hZcHYNClRPVW04M205TmpaNy9WdW44WUo2MTdVU3ZsZDFXNE5W
ZGoyckgyMGFDek5qUmQrVHpKTlpleTFnWTZSbzFteTkNClpzK01TWFpLNWp1eTZ4NG1Ub2VHZ3Nt
WlNHU3BjRGdmNi91cGFWVjlabXllZVN5azBnK0h6S3NXMFUrQm9iZkMNCmlNWENWUllTK0JQYzk4
aUIzSGh1LzhISjhkemtoNVVuMjdBcitteVZPNkV2L0xhRTVVNFVjcmxHQ3BIck1zazkNClVyWEdK
N0xqVTNlU08xSWZrN254RDA3blkwdHdrVSt6SzVpbEpYeS9QWnNsa0Jnc2w2eEYycUhmSlNxaHdL
WGcNCnIrMkhYU3BKTnF0TUd2QWYzdXV6MDNPQW5sakczZnJNNUd6Mm1yeW04K2d6RGdDQlJpTFlY
THJzMEY1dldRU0gNCk4vdFB6RWk2dm4rU0xIRFd3NHhrNkx2QWJPQUxKa2pURTdUTnlGemtPUkpZ
b1M2d3RsWEVCbk1aRmF3MUVwUk0NClRKS1BSdTRhbVJ3Zm45amFlcFZmYnB5Nk9FQzBhQ1VTVWpt
NXZFeWJ1N1NnM2owYWpyTFF6eGw4VFdidy8zaUcNClVLOUY3cnB6SzE5R042Q08zSlJQMG9nODR2
Z3RSdncyb1ZKUzV5UUxQeUJBM0Q1MzJGYU9VeG1PZ2t3MTJiZWMNCnp0YzNGTkpBMk14ei9DaWtL
MUE1QjdqeXU4QVNrVDRKZ1Zpb3J1eXdEYlJQNVNFeURSM2IwT2RteGpwU0JvZnkNCitWNnZsK3Vt
Ym5PTzM4MUw1blE4SnZNaXNjOHZKL2I1RkdlT2ltQnM5aW9kVE9lMTJWeVM4V2I1WHVQRzJTeE0N
CkE1VHNxMVltU3BnZ3QwTmJWWEZtZzllVzNRblY4RU8rd3FHdCtxTUxwSU5WV3U0WHA2VmFZcWlj
S0M3Uzg4T1QNCk5QUWowR3dRK2c1clJTRURReGc1SUFDM1JaWVppZENzMStFdWcvVUJsVTZIOUtn
Z1lBS1Rzc1ZXbWVzSFhSakwNCnVVUnVpNHgwNkNvam50OERKOTBBNG9NREJLT000d1pSSzBLV0Ra
TStoL3RjRE5DQzFHTEFvM2k1RklTdVV1N1MNClpZNFRaTHNDRzBKRWJBZGNiN1hDOU9LWk14RTMr
RVNHRE5wa0NQMW1KUmpLS3JOWldwU3NSaTV1VEhGV2hMYmINCkRNYWt0eklVS3AwMFNKNXFSS0FX
V0cvRnhZTDRhN0J0ZEFNL3BDRUh0RkEwV0FyUnV0empRc0tleDRId29STDcNCitBVmFTZG55a0ln
MUFmWWlSN1NreHNvdmN6azRvQkxtQUtZNENoTlN3eG9uQlhFWjJIb2tDbG9VNjcyWkRsRTYNCmZk
cmdmaktNSnc2azdDSkhuZ2VLZEppeUhLNTM2aTFHbUZCeEJhTXBJNXRucjVBVDE0Y3RQeVFlWXkz
V3lwRnQNCnRJUmRkbVU1UmpZN2NBdWNhdzVHT3diYWo2OHFPTlIxL1o3b20zVWhKeGdJYml1WnE5
Qm1PRmlSTnc1TnlaWWgNClJSaStPWUpSVTBlaW8xclM5NkMreWg4c0VnSXo4d004MVFEZGdvZ0lt
UkhLSFNwSVJZTEo0MUFYMUVLaFk2bWsNCk9XSjRVQVcxQ3dQajRIY0YrcEpEdlpQdG1wSjJzbE1Q
RDRNNEtES2JJa1RzWGVyeElIS2g2djMwNGhnMmlqKzINClpCNEtSQ2t5MmMvUXNzVndOaWlJR1pL
Y3dQbzR1UmVmZlFCREJoT1E5Q1NTRk1vSVlBQUJIcWdCb0lTRXBqaEQNClRLT1BnWHVPRzdXUWdq
RHlQSHluNFRJSExZUnJ5ZWJxcVZTZ1UzQno3Vktud3oyMnJRekt2cEE0Q3BFQndiRXgNCmVpcEQ1
RTM1V3dGZTRUSXFFRCtSSHBjZDRGb0VxdGY4ZUNTTU5CSlVBMmNBQWhsTVhSaW9zTm0zSUEyd3dV
MUQNCnpZT0JObEpWdUxCbWVXMlkyUXdSVHNnRGlhU3BNM2FTYUdLRi9ybTM2cCtNNGFiaTZuWFkw
RExzVWhDVmgzMkINCkVyek1ZK3hGb2tra1J2MWdobGlwSHNpR3JRNlhodzFxMzJLQ2gzSC9ENVZn
VkQzYmpYYnNLZUVuN0FOaFVBREINClVXUzR6NDVFQTBnQ0p5VndwTkN6ckdvS0hCMHFkQ2F1RWRw
dzlZQ2h0aHFrQ0NuZmtDUVl2enpnYXFsaVNWMUUNCnJ6bFM5bnVZZDBaZFNsUFM0NUQ5TTFOVFRj
bE1NaHNpR0Z3Z2RFY0ptM3RDd2dlQlRSelFVSUVaUG1ZbUdjdE8NCkQyL0c3WjRXUHk1VzdCdzZL
Y0pXSGtvNUhUVUpaaDduMGdDeGh0ekJvVzBwUWQvdGV3QU5jb1ZKZWRrd0ExUncNCnNjVUZ0ck1T
WG91MWFlVEs3WGJpS3VoM2hTb056NEVpL0ZCYzB5TlFmUFRJcXZROTFuUFhCZ2VMclVzUVZ3QTYN
CkVpdS9FdUxXdFgyYzVLQ2pXbk9EMGloZEJuQlVSbjFjMmU3eE05NHlBeTUySEFybXN1dHptZXdQ
aVlEeFZPZTYNCnlXbGhLTk5rNnhXNWJVK213N1NOWW9TOWNwVkRtK0krNmRDZ0QzMkQzb0pyc0ZY
VEhlZWk1bHc2MUlZblduemkNCmlET0Znc2orRE5nOGdibzZDR2hEUjRUL1ZWWTdVVlY2Sk9KaWNO
aFJtZk5URzQ3enVwSWVickR4WU5neE5WYzgNClUrM1k4bXFldTdyaUtwKzdoaDNnYzllT1VhT2No
dlo1M0EvOFpVbTVGdzllTG1MaXR4ZnkvK2RCemk3cnhLak4NCm1ZMnFaaHRtamRRYjVvSlIwa3R3
a2VDOXFsRnNtSlk1WjVNak5YT3hvcGZtZFZMUUxEQ3lCbXYzM2hQNThyQm0NCndjWDRJMWswN0xM
WnRNbWkxbWhvTlh1Sm1ITkVxeTJSSTBhdGxCdHlXaktzWWtVenFoYlJLcFYwdGFGYkdhS0QNCkI3
MUI5R1AxaG01WnhHd1FvMXF2R0hvcEE5Q0tsV2JKcU0wcmhBTWpERkxWRzhVeWZOVUtSc1dBdUZx
dFJPWU0NCnU0WStJRXZRZlYxcjJFYXhXZEVhcE41czFFMUx6Mkd5TlpQb0N6b1NVMFlvQTRoRkV4
WTFZbllRaFcwUnExbEgNCktBMkxGSFJTTWJSQ1JZK2RRNFlscmFyTkE1YkZzbVpiSnJoc0RPRXRH
UTI5YUdNR2cwOUZvQkR3VmpMNDg1MmwNCkgyM0NOd08vVmt4THBWUm9Xb2JDRDN6UFlYaUlaTlgx
SWl4S28yVVVkbUxNN1JSM1dWdUFPdXBnbzVVV0RBdHENCkNJR1FUZURETWhMdTRKTFZMSmJUSURs
aW1WV2RXTFptUTM0bEV5aXpzV3ptb3JMVWowR1dWaEt0WWxRTk80azkNCnB5aUtYU0pMSTJrcWFI
ME8rdXhacHZJSnkvVjVFNWtiY2xqVmx1TFFrTXpTNkNiZC96a3huLzRVbVZlL3dQNFgNCj1DdWZ0
DQotLS0tLUVORCBQR1AgTUVTU0FHRS0tLS0tDQo=

------_=_NextPart_001_01C126B3.023CB950--

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC