Bugtraq mailing list archives

Microsoft Security Bulletin MS01-038

From: Microsoft Product Security <secnotif () MICROSOFT COM>
Date: Thu, 12 Jul 2001 19:38:59 -0700
The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Outlook View Control Exposes Unsafe Functionality
Date:       12 July 2001
Software:   Outlook 98, 2000, and 2002
Impact:     Run code of attacker's choice via either web page or HTML
            e-mail.
Bulletin:   MS01-038

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-038.asp.
- ----------------------------------------------------------------------

Issue:
======
The Microsoft Outlook View Control is an ActiveX control that allows
Outlook mail folders to be viewed via web pages. The control should
only allow passive operations such as viewing mail or calendar data.
In reality, though, it exposes a function that could allow the web
page to manipulate Outlook data. This could enable an attacker to
delete mail, change calendar information, or take virtually any other
action through Outlook including running arbitrary code on the user's
machine. 
Hostile web sites would pose the greatest threat with respect to this
vulnerability. If a user could be enticed into visiting a web page
controlled by an attacker, script or HTML on the page could invoke
the control when the page was opened. The script or HTML could then
use the control to take whatever action the attacker desired on the
user's Outlook data. 

It also would be possible for the attacker to send an HTML e-mail to
a user, with the intent of invoking the control when the recipient
opened the mail. However, the Outlook E-mail Security Update, that
automatically installs as part of Outlook 2002 would thwart such an
attack. The Update causes HTML e-mails to be opened in the Restricted
Sites Zone, where ActiveX controls are disabled by default. 

Microsoft is preparing a patch that will eliminate the vulnerability.
However, while this patch is under development, we recommend that
customers disable ActiveX controls in the Internet Zone to protect
against the web-based scenario discussed above. (The FAQ provides
information on how administrators can use Group Policy to make this
configuration change network-wide). To protect against the mail-borne
scenario, we strongly recommend that Outlook 98 and 2000 users
install the Outlook E-mail Security Update if they haven't already
done so. When the patch is complete, Microsoft will re-release this
bulletin and provide details on where to obtain the patch and how to
use it.

Mitigating Factors:
====================
 - The previously-released Outlook E-mail Security Update that is
   integrated into Outlook 2002 would prevent this vulnerability from
   being exploited via e-mail in all affected Outlook versions. 

 - The vulnerability provides no capability for the attacker to force
a
   user to visit a web page that exploits it. 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-038.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBO05fMI0ZSRQxA/UrAQF0mwf8CE7Dm+m3/9gddmmIaBVGeMokvuJRwJa5
qlJv45jy/0jbjqq6GyFwVHS//S4rUg9aXFn/XooCc9piGbJhmY+o3uWr9XxdeZ/A
0+Do6QauobjjOdaMzJuGJ31aqIDqiVZdL4h/JQU6j0+n7MUVQM4hqlsCJDXXWv4u
2kNkd8Vi0zb1GxIZwJLHStmNi5NicgePQcuk7UirmLdYi8eSyOTfpcIp5WT7u7L9
h+4boyabo7cqTO5JSAtvoiqJnF/ItdYxeBKSfq2fCZQDgPYsSQIkvdLwGyqV4qG7
mh9y/N6qFZo7GhAFuQRgyn+ALgll6+5T1ojkiWVaWfO460a5TSM41w==
=tRTd
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
Current thread:

Microsoft Security Bulletin MS01-038 Microsoft Product Security (Jul 13)
- Re: Microsoft Security Bulletin MS01-038 Silviu Cojocaru (Jul 15)