SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Microsoft Outlook Vendors:   Microsoft
Microsoft Outlook May Fail to Encrypt User E-mail, Disclosing the Contents to Remote Users
SecurityTracker Alert ID:  1005966
SecurityTracker URL:  http://securitytracker.com/id/1005966
CVE Reference:   CVE-2003-0007   (Links to External Site)
Date:  Jan 22 2003
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2002
Description:   A vulnerability was reported in Microsoft Outlook 2002 in the use of V1 Exchange Server Security certificates for encryption. The system may fail to encrypt user e-mail in a certain configuration.

It is reported that a flaw in Outlook 2002 may cause the contents of a user's HTML-based e-mail to be sent in plain text instead of being encrypted using V1 Exchange Server Security certificates for encryption. The flaw is in the way in which Outlook 2002 processes a request to use a V1 Exchange Server Security certificate for encryption.

A remote user monitoring the network over which the e-mail was sent or with access to any of the e-mail servers that the mail traverses could view the plain text information. The sender of the e-mail may not be aware that the e-mail was sent in unencrypted form.

It is reported that the vulnerability only affects HTML-based e-mail.

Also, the system is not vulnerable when using S/MIME certificates (which is the default configuration), according to the vendor. Digital signatures are not affected.

To determine the type of certificate Outlook 2002 is using for encryption, check the Tools|Options|Security|Security Settings menu. If the security settings indicate that the "secure message format" is "Exchange Server Security," then Outlook 2002 is using a V1 Exchange Server Security certificate and may be affected.

Impact:   A remote user monitoring e-mail during transit or storage could view a target user's e-mail contents.
Solution:   The vendor has released the following patches for Microsoft Outlook 2002:

http://microsoft.com/downloads/details.aspx?FamilyId=F20A2E4B-E458-48F0-B0CB-7E73C0BB4884&displaylang=en

http://download.microsoft.com/download/0/3/d/03dcc183-a46e-4c22-9fbd-1fcb32f0fd91/Olk1006a.exe
(administrative update only)

The patch can be installed on Outlook 2002 with Office XP SP2. The administrative update version of the patch can also be installed on Office XP SP1.

Microsoft plans to include this fix in any future service packs for Office XP.

Microsoft plans to issue Knowledge Base article 812262 regarding this issue, to be available shortly on the Microsoft Online Support web site:

http://support.microsoft.com/?scid=fh;en-us;kbhowto

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS03-003.asp (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  MS03-003


http://www.microsoft.com/technet/security/bulletin/MS03-003.asp

Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information
Disclosure (812262)

Microsoft Security Bulletin MS03-003

Microsoft Outlook 2002

Maximum Severity Rating: Moderate

Microsoft Outlook May Fail to Encrypt User E-mail, Disclosing the Contents to Remote Users

A vulnerability was reported in Microsoft Outlook 2002 in the use of V1 Exchange Server Security
certificates for encryption.  The system may fail to encrypt user e-mail in a certain configuration.

It is reported that a flaw in Outlook 2002 may cause the contents of a user's HTML-based e-mail to
be sent in plain text instead of being encrypted using V1 Exchange Server Security certificates for
encryption.  The flaw is in the way in which Outlook 2002 processes a request to use a V1 Exchange
Server Security certificate for encryption.

A remote user monitoring the network over which the e-mail was sent or with access to any of the
e-mail servers that the mail traverses could view the plain text information.  The sender of the
e-mail may not be aware that the e-mail was sent in unencrypted form.

It is reported that the vulnerability only affects HTML-based e-mail.  

Also, the system is not vulnerable when using S/MIME certificates (which is the default
configuration), according to the vendor.  Digital signatures are not affected.

To determine the type of certificate Outlook 2002 is using for encryption, check the
Tools|Options|Security|Security Settings menu. If the security settings indicate that the "secure
message format" is "Exchange Server Security," then Outlook 2002 is using a V1 Exchange Server
Security certificate and may be affected.


The vendor has released the following patches for Microsoft Outlook 2002:

http://microsoft.com/downloads/details.aspx?FamilyId=F20A2E4B-E458-48F0-B0CB-7E73C0BB4884&displaylang=en

http://download.microsoft.com/download/0/3/d/03dcc183-a46e-4c22-9fbd-1fcb32f0fd91/Olk1006a.exe
(administrative update only)

The patch can be installed on Outlook 2002 with Office XP SP2.  The administrative update version of
the patch can also be installed on Office XP SP1.

Microsoft plans to include this fix in any future service packs for Office XP.

Microsoft plans to issue Knowledge Base article 812262 regarding this issue, to be available shortly
on the Microsoft Online Support web site:

http://support.microsoft.com/?scid=fh;en-us;kbhowto



CVE: CAN-2003-0007


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC