Published:
10 December 2001
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.530 -- Microsoft Security Bulletin MS01-057 [REVISED]
Specially Formed Script in HMTL Mail can Execute in Exchange 5.5 OWA
11 December 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Exchange 5.5 Server Outlook Web Access
Vendor: Microsoft
Impact: Execute Arbitrary Code/Commands
Access Required: Remote
Ref: ESB-2001.527
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Specially Formed Script in HTML Mail can Execute in
Exchange 5.5 OWA
Date: 06 December 2001
Revised: 07 December 2001 (version 2.0)
Software: Microsoft Exchange 5.5 Server Outlook Web Access
Impact: Run Code of Attacker's Choice
Max Risk: Medium
Bulletin: MS01-057
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-057.asp.
- - -
- - ----------------------------------------------------------------------
Reason for Revision:
====================
On December 6, 2001 Microsoft released the original version of this
bulletin. On December 7, 2001 an issue relating to file dependencies
for the patch was identified and the bulletin was updated and
re-released
to include this information. Specifically, for this patch to function
properly, the Outlook Web Access (OWA) server on which the patch is
installed must have Internet Explorer (IE) 5.0 or greater installed.
If
the patch is installed on a system with a version of IE older than
5.0,
unexpected consequences may result. The "Caveats" section has been
updated to include version requirements for this patch. In addition,
it
contains version recommendations for dependent components that are
applicable at the time of this writing. In addition, the FAQ contains
remediation information for customers who have applied this patch
on systems with versions of IE older than 5.0.
Issue:
======
Outlook Web Access (OWA) is a service of Exchange 5.5 Server that
allows users to access and manipulate messages in their Exchange
mailbox by using a web browser.
A flaw exists in the way OWA handles inline script in messages in
conjunction with Internet Explorer (IE). If an HTML message that
contains specially formatted script is opened in OWA, the script
executes when the message is opened. Because OWA requires that
scripting be enabled in the zone where the OWA server is located,
a vulnerability results because this script could take any action
against the user's Exchange mailbox that the user himself was
capable of, including sending, moving, or deleting messages. An
attacker could maliciously exploit this flaw by sending a
specially crafted message to the user. If the user opened the
message in OWA, the script would then execute.
While it is possible for a script to send a message as the user,
it is impossible for the script to send a message to addresses in
the user's address book. Thus, the flaw cannot be exploited for
mass-mailing attacks. Also, mounting a successful attack requires
knowledge of the intended victim's choice of mail clients and
reading habits. If the maliciously crafted message were read in
any mail client other than a browser through OWA, the attack
would fail.
Mitigating Factors:
====================
- A successful attack would require the victim to read the message
in a IE using OWA only. The attack would fail if read in any
other mail client.
- A successful attack would also require knowledge of the version
of OWA in use. The attack would fail on other versions of OWA.
- A successful attack can only take action on the mailbox on the
Exchange Server as the user. It cannot take action on the user's
local machine. It cannot take actions on any other users mailbox
directly. Nor can it take actions directly on the Exchange Server.
Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: None
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-057.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Lex Arquette of WhiteHat Security (http://www.whitehatsec.com)
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS
OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A
PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT
CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPBGFso0ZSRQxA/UrAQEWHwf9G2/LR4CsBV2mzSmjKJeV6HkmK3FMFxJX
HxNz5HgRaNbX7ZniySp3gBCP3+DW/q3Gw1u16VFluTFE1hfjaR2D43Sx7Ie1UP0N
jEbdXRw7BtrD9lwFdSwI35tESjWev2x0Ap9ZfKEbtCjga1hQ5qHH4arJ2v6i2KUY
0dQQGMlIbj3U+wMcwwkzyv2pV+3pBRCVxbrwpUKm7N+b/JcXeU4BqwLzgQd5ZEAJ
qvrw7WLZSQpRHG7eo8rINglgG4Bo7sN4hdAK8X86hr69ImJh6lQFMwaVYiAj880l
2IxIa7Dcg9m7pzN3nIcjbsdCw/KRKXmmVZObPe2kKi48PuYwsv7CSw==
=Jp5G
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPBXeQih9+71yA2DNAQHxuQQAkWfXy9dR0wWuVKUWO3YbHTKfyM3tssIy
O+irSzypZs3CSQeTfFNue8ZbPGBJ94EEboNssBwBFKNIJSaTJ7How7PYTd3eakFR
UjLcXoCkCW6QXYve1Z9fYb9I9ghU7GbcKDt/pwfAY+Se1w19PUTGUa3EbWf8zeJD
+e/pcNtYLMI=
=sRCg
-----END PGP SIGNATURE-----