Small flaw in Outlook Express

["Raistlin" <raistlin () gioco net>]

--- OVERVIEW ---

A small bug showed up casually in Outlook Express, localized italian
version. This bug leads to incorrect visualization of a plain text e-mail
message. There is no evidence that this could lead to any compromise
directly, however it could be used to avoid some e-mail content filters in
place (for example those concerned with the file://con/con and similar
link-based bugs)

--- AFFECTED VERSIONS ---

> From our tests:
Outlook Express version 5.50.4522.1200 ITALIAN is AFFECTED
Outlook Express version 5.00.2919.6600 ITALIAN is AFFECTED
Outlook Express version 5.50.4522.1200 ENGLISH is NOT affected
Outlook Express version 5.50.4133.2400 ITALIAN is NOT affected

Microsoft has acknowledged this bug at first only on international versions,
then as a standard feature in IE/OE. I lack confirmation about version 6.0
being or not vulnerable.

--- DESCRIPTION OF BEHAVIOUR ---

The "bug" shows up in two different ways:

- when the user is trying to compose a message, he simply can NOT type
something like "// ANYTHING" (without the blank character intermission),
because it is immediately transformed into "file://" format. While this has
NOT security implication, it is an obvious problem if you are writing, for
example, a JavaScript piece of code and you want to include the <-- // -->
block for hiding it from JavaScript-impaired browsers (again, there is an
additional space inserted). By the way, this is how I discovered the
problem, and by the way again, I cannot write you correctly what I mean
since Outlook Express won't let me ^_^

- when the user receives an e-mail containing such a string, it is displayed
in the "file://" format, although taking a look to the raw format through
"file - properties - details - original message" shows the correct form of
the string. Thus, if a malicious user sends (not using outlook :) an e-mail
containing just // and the infamous string con/con (if you are wondering,
yes, they are separated to allow me to write them), the rendered output
would be file://con/con , but a procmail filter, for instance, set up to
intercept all file:// references would not be triggered by the e-mail
message.

Curious add-on: if you watch the screen carefully, you can actually see the
CORRECT form (without file:// ) being displayed for a few fractions of
second before it changes... strange.

--- CONCLUSIONS ---

This small bug does not pose any real security risk, in my opinion - please,
don't tell me it is not threatening, I definitely know that by myself. But I
wish to report something which in my opinion is quite strange.

Microsoft ( secure () microsoft com ) has at first claimed to be unable to
reproduce the bug, then, provided with further details, has answered: "You
are right, it is a localized feature. From talking with our developers what
you are seeing is by design."

The latest version was: "We are unable to verify...we'll get back in touch
with you", but it was just about a month ago, so I tought I could as well
disclose this small flaw and go on with something more important...

However, I am still wondering WHY this "feature" should be added, by design,
into Italian language version and not into other product. What does this
"design" fix, actually ? Will anybody answer me ? Thanks in advance ;)

Stefano "Raistlin" Zanero
System Administrator Gioco.Net
public PGP key block at http://gioco.net/pgpkeys