Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Client)  >   Microsoft Outlook Vendors:   Microsoft
Microsoft Outlook Weak Security Enforcement When Editing Messages with Microsoft Word Lets Remote Users Send Malicious Code to Outlook Recipients That Will Be Executed When Forwarded or Replied To
SecurityTracker Alert ID:  1004157
SecurityTracker URL:
CVE Reference:   CVE-2002-1056   (Links to External Site)
Date:  Apr 26 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2000, 2002
Description:   A vulnerability was reported in Microsoft Outlook when Microsoft Word is used as the e-mail editor. A remote user could cause arbitrary code to be executed.

Microsoft reported that Outlook 2000 and 2002 are vulnerable when configured with the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML formats. This configuration is apparently referred to as "WordMail".

A remote user can send malicious mail to a target (victim) user so that when the target user replies to the mail or forwards the mail, arbitrary code is executed. This is apparently possible because of a flaw in the security restrictions that the WordMail editor applies when Outlook is editing a message (as opposed to reading it). Scripts are reportedly not blocked in this mode. The arbitrary script that runs on the target user's computer would be able to take nearly any actions acting as that user.

The vendor reports that you are not affected if you do not use Word as the e-mail editor within Outlook. Also, users of Office XP SP1 that have configured their system to read HTML mail as plain text are not vulnerable.

Impact:   A remote user can send HTML or RTF-based e-mail to a target user to cause arbitrary code to be executed on the target user's computer when the target user replies to or forwards the message.
Solution:   The vendor has released a fix.

For Microsoft Word 2002:

Client Installation:

Administrative Installation:

For Microsoft Word 2000:

Client Installation:

Administrative Installation:

This patch can reportedly be installed on systems running Office 2000 SR-1 or greater or Office XP SP-1 or greater. Microsoft plans to include this fix any future service packs for Microsoft Office.

Microsoft plans to issue Knowledge Base article #Q321804 shortly, to be available at the Microsoft Online Support web site:

Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Alert: Microsoft Security Bulletin - MS02-021

E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward (Q321804)

Originally posted: April 25, 2002


Impact of vulnerability: Run Code of Attacker's Choice

Maximum Severity Rating: Moderate

Recommendation: Customers using WordMail should apply the patch immediately

Affected Software: 
- Microsoft Outlook 2000
- Microsoft Outlook 2002

Technical description: 

Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text
 or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from
 an attacker. 

The vulnerability results from a difference in the security settings that are applied when displaying a mail versus editing one. 
 When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disallow scripts from being run. 
 However, if the user replies to or forwards a mail message and has selected Word as the e-mail editor, Outlook opens the mail and
 puts the Word editor into a mode for creating e-mail messages.  Scripts are not blocked in this mode.  

An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who
 has Word enabled as the e-mail editor.  If the user replied to or forwarded the e-mail, the script would then run, and be capable
 of taking any action the user could take.

Mitigating factors:
- The vulnerability only affects Outlook users who use Word as their e-mail editor.  
- Users who have enabled the feature introduced in Office XP SP1 to read HTML mail as plain text are not vulnerable.
- For an attacker to successfully exploit this vulnerability, the user would need to reply to or forward the malicious e-mail.  Simply
 reading it would not enable the scripts to run, and the user could delete the mail without risk.

Vulnerability identifier: CAN-2002-1056

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been
 a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC