Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0202 -- US-CERT Technical Cyber Security Alert TA04-070A Microsoft Outlook mailto URL Handling Vulnerability 11 March 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Outlook 2002 Publisher: US-CERT Operating System: Windows XP Windows 2000 Windows NT Windows ME Windows 98SE Windows 98 Impact: Execute Arbitrary Code/Commands Access Required: Remote CVE Names: CAN-2004-0121 Ref: ESB-2004.0191 Comment: Microsoft has updated the severity of this vulnerability from "Important" to "Critical". The reason for this change is explained on the Microsoft site: '... it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002.' - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Microsoft Outlook mailto URL Handling Vulnerability Original issue date: March 10, 2004 Last revised: -- Source: US-CERT Systems Affected * Microsoft Office XP (up to Service Pack 2) * Microsoft Outlook 2002 (up to Service Pack 2) Overview A vulnerability in the way that Microsoft Outlook 2002 handles a certain type of URL could allow a remote attacker to execute arbitrary code on the vulnerable system. I. Description Microsoft Outlook provides a centralized application for managing and organizing email messages, schedules, tasks, notes, contacts, and other information. Outlook is included as a component of newer versions of Microsoft Office and available as a stand-alone product. Outlook 2002 exposes a vulnerability due to inadequate checking of parameters passed to the Outlook email client. The vulnerability is caused by the way a "mailto:" URL is interpreted. An attacker creating specially formatted "mailto:" URLs can cause Outlook to run privileged script, ultimately leading to the execution of arbitrary code. The malicious code could be delivered to the victim via a specially crafted HTML email message or from an intruder-controlled web page. Microsoft originally stated that users were only at risk from this vulnerability when Outlook 2002 is configured as the default mail reader and when the "Outlook Today" home page is their default folder home page. Subsequent information has been published that indicates that this is not true and users in other situations are vulnerable via a slightly different attack vector. II. Impact An attacker could execute arbitrary code of their choosing on the system running the vulnerable version of Outlook. Upon successful exploitation, the malicious code would be executed in the context of the "Local Machine" Internet Explorer zone under the user running Outlook. III. Solution Apply a patch Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-009. Workarounds Microsoft recommends the following workarounds for users who are unable to apply the patches: * Do not use the "Outlook Today" folder home page in Outlook 2002 You can help protect against this vulnerability by turning off the "Outlook today" folder home page in Outlook 2002. 1. In the "Folder List" window of Outlook, right-click on "Outlook Today" or "Mailbox - [User Name]" 2. Select Properties for "Outlook Today" or "Mailbox - [User Name]" 3. Select "Home Page" tab 4. Uncheck "Show home page by default for this folder" 5. Repeat for all other "Folder List" items labeled "Outlook Today" or "Mailbox - [User Name]" Impact of Workaround: The "Outlook Today" folder home page would no longer be available. * If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read email messages in plain text format to help protect yourself from the HTML email attack vector Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-digitally-signed email messages or non-encrypted email messages in plain text only. Digitally-signed email messages and encrypted email messages are not affected by the setting and may be read in their original formats. Instructions for enabling these settings can be found at the following locations: + Outlook 2002 - Microsoft Knowledge Base Article 307594 + Outlook Express 6.0 - Microsoft Knowledge Base Article 291387 Impact of Workaround: Email that is viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. Additionally: + The changes are applied to the preview pane and to open messages. + Pictures become attachments to avoid loss of message content. + The object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text Format or in HTML format in the mail store. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS04-009. Appendix B. References * US-CERT Vulnerability Note VU#305206 - <http://www.kb.cert.org/vuls/id/305206> * iDEFENSE Security Advisory 03.09.04 - <http://www.idefense.com/application/poi/display?id=79&type=vulner abilities> * IETF RFC2368, "The mailto URL scheme" - <http://www.ietf.org/rfc/rfc2368.txt> * Microsoft Security Bulletin MS04-009 - <http://microsoft.com/technet/security/bulletin/MS04-009.aspx> * Microsoft Knowledge Base Article 307594 - <http://support.microsoft.com/default.aspx?kbid=307594> * Microsoft Knowledge Base Article 291387 - <http://support.microsoft.com/default.aspx?kbid=291387> _________________________________________________________________ This issue was jointly reported publicly by Microsoft Security and iDefense. They, in turn, credit Juoko Pyonen with the discovery and research of this vulnerability. Information from iDefense and Microsoft was used in this document. _________________________________________________________________ This document is also available online at <http://www.us-cert.gov/cas/techalerts/TA04-070A.html> Feedback can be directed to the authors, Chad Dougherty and Jeff Havrilla. _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use, see <http://www.us-cert.gov/legal.html> Revision History March 10, 2004: Initial release - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAT8dmXlvNRxAkFWARAnY5AKCZJY4Nm58+RJBK5nbzlgCCfhUC5QCfbnGl X5nSukAsCMCepN3+mFsxW50= =wQ3h - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQE/bMyh9+71yA2DNAQJrvAP9F6ZsEZWgutuYYDAoZPLbxb8qottu8fil erz/hNIyMXtB/hPdR61HE7LzHivGZ0oVRKpMjx6zmtUcrfXGiOtPusmNP4tTPCKO HzrgdnyPwgr0dkXNhpU6WARtzG+3F0mbkcE7/vPhFYZwuusPU2djkxATB2go24nr SWoUupCTBqA= =VdUp -----END PGP SIGNATURE-----