Microsoft Outlook Weak Security Enforcement When Editing Messages with Microsoft Word Lets Remote Users Send Malicious Code to Outlook Recipients That Will Be Executed When Forwarded or Replied To
SecurityTracker Alert ID: 1004157|
SecurityTracker URL: http://securitytracker.com/id/1004157
(Links to External Site)
Date: Apr 26 2002
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 2000, 2002|
A vulnerability was reported in Microsoft Outlook when Microsoft Word is used as the e-mail editor. A remote user could cause arbitrary code to be executed.|
Microsoft reported that Outlook 2000 and 2002 are vulnerable when configured with the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML formats. This configuration is apparently referred to as "WordMail".
A remote user can send malicious mail to a target (victim) user so that when the target user replies to the mail or forwards the mail, arbitrary code is executed. This is apparently possible because of a flaw in the security restrictions that the WordMail editor applies when Outlook is editing a message (as opposed to reading it). Scripts are reportedly not blocked in this mode. The arbitrary script that runs on the target user's computer would be able to take nearly any actions acting as that user.
The vendor reports that you are not affected if you do not use Word as the e-mail editor within Outlook. Also, users of Office XP SP1 that have configured their system to read HTML mail as plain text are not vulnerable.
A remote user can send HTML or RTF-based e-mail to a target user to cause arbitrary code to be executed on the target user's computer when the target user replies to or forwards the message.|
The vendor has released a fix.|
For Microsoft Word 2002:
For Microsoft Word 2000:
This patch can reportedly be installed on systems running Office 2000 SR-1 or greater or Office XP SP-1 or greater. Microsoft plans to include this fix any future service packs for Microsoft Office.
Microsoft plans to issue Knowledge Base article #Q321804 shortly, to be available at the Microsoft Online Support web site:
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-021.asp (Links to External Site)
Access control error, State error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Alert: Microsoft Security Bulletin - MS02-021|
E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward (Q321804)
Originally posted: April 25, 2002
Impact of vulnerability: Run Code of Attacker's Choice
Maximum Severity Rating: Moderate
Recommendation: Customers using WordMail should apply the patch immediately
- Microsoft Outlook 2000
- Microsoft Outlook 2002
Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text
or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from
The vulnerability results from a difference in the security settings that are applied when displaying a mail versus editing one.
When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disallow scripts from being run.
However, if the user replies to or forwards a mail message and has selected Word as the e-mail editor, Outlook opens the mail and
puts the Word editor into a mode for creating e-mail messages. Scripts are not blocked in this mode.
An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who
has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable
of taking any action the user could take.
- The vulnerability only affects Outlook users who use Word as their e-mail editor.
- Users who have enabled the feature introduced in Office XP SP1 to read HTML mail as plain text are not vulnerable.
- For an attacker to successfully exploit this vulnerability, the user would need to reply to or forward the malicious e-mail. Simply
reading it would not enable the scripts to run, and the user could delete the mail without risk.
Vulnerability identifier: CAN-2002-1056
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been
a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor