__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Outlook Could Allow Unauthorized Code Execution [Microsoft Security Bulletin MS04-009] March 9, 2004 22:00 GMT Number O-096 [REVISED 11 Mar 2004] ______________________________________________________________________________ PROBLEM: A vulnerability exists within Outlook 2002 and its handling of mailto URLs. Outlook 2002 is available as a separate product and is also included as part of Office XP. SOFTWARE: Microsoft Outlook 2002 Service Pack 2 DAMAGE: A vulnerability exists within Outlook 2002, and its handling of mailto URLs, that could allow Internet Explorer to execute script in the Local Machine Zone on an affected system. An attacker who successfully exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system. **NOTE--Originally we said that users are only vulnerabile when the "Outlook Today" page was the default folder home page. However, it has been determined that a two page exploit could be used where the first opens "Outlook Today" and the second exploits the vulnerability.** SOLUTION: Install the available patch. ______________________________________________________________________________ VULNERABILITY The risk is Medium. Vulnerability allows privilege escalation. ASSESSMENT: Malicious code could run in the security context of the logged-in user. However, a user must be persuaded to visit a malicious website for successful exploitation. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-096.shtml ORIGINAL BULLETIN: Microsoft Security Bulletin MS04-009 http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0121 ______________________________________________________________________________ REVISION HISTORY: 03/11/04 - updated to reflect changes Microsoft has made in the Technical Description Section in MS04-009 and we have modified our DAMAGE Section. [***** Start Microsoft Security Bulletin MS04-009 *****] Microsoft Security Bulletin MS04-009 Vulnerability in Microsoft Outlook Could Allow Code Execution (828040) Issued: March 9, 2004 Updated: March 10, 2004 Version: 2.1 Summary Who Should Read This Document: Customers that are using Microsoft® Office XP and Outlook 2002 Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Security Update Replacement: None Caveats: None Tested Software and Security Update Download Locations: Affected Software • Microsoft Office XP Service Pack 2- Download the update • Microsoft Outlook 2002 Service Pack 2- Download the update Note An administrative update is also available; please see the Security Update Information section for more details. Non Affected Software • Microsoft Office 2000 Service Pack 3 • Microsoft Office XP Service Pack 3 • Microsoft Office 2003 • Microsoft Outlook 2000 Service Pack 3 • Microsoft Outlook 2002 Service Pack 3 • Microsoft Outlook 2003 The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. Top of section General Information Technical details Technical description: Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the “Outlook Today” folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of “critical” to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action. In addition, Microsoft is making available an additional “client update” for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section. A security vulnerability exists within Outlook 2002 that could allow Internet Explorer to execute script code in the Local Machine zone on an affected system. The parsing of specially crafted mailto URLs by Outlook 2002 causes this vulnerability. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who successfully exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system. This code would run in the security context of the currently logged-on user. Outlook 2002 is available as a separate product and is also included as part of Office XP. Mitigating factors: • Users who read e-mail messages in plain text format in are at less risk from the HTML e-mail attack vector as they would need to click on a link in an e-mail message to be affected. • If an attacker exploited this vulnerability, the attacker would gain only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges. Severity Rating: ************************************* Microsoft Office XP Critical ************************************* Microsoft Outlook 2002 Critical ************************************* The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2004-0121 Top of section Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below. Do not use the "Outlook Today" folder home page in Outlook 2002 You can help protect against this vulnerability by turning off the “Outlook today” folder home page in Outlook 2002. 1. In the “Folder List” window of Outlook, right-click on “Outlook Today” or “Mailbox – [User Name]” 2. Select Properties for “Outlook Today” or “Mailbox – [User Name]” 3. Select “Home Page” tab 4. Uncheck “Show home page by default for this folder” 5. Repeat for all other “Folder List” items labeled “Outlook Today” or “Mailbox – [User Name]” Impact of Workaround: The "Outlook Today" folder home page would no longer be available. If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-digitally-signed e-mail messages or non-encrypted e-mail messages in plain text only. Digitally-signed e-mail messages and encrypted e-mail messages are not affected by the setting and may be read in their original formats. See Microsoft Knowledge Base Article 307594 for information about how to enable this setting in Outlook 2002. See Microsoft Knowledge Base Article 291387for information about how to enable this setting in Outlook Express 6.0 Impact of Workaround: E-mail that is viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. Additionally: • The changes are applied to the preview pane and to open messages. • Pictures become attachments to avoid loss of message content. • Because the message is still in Rich Text Format or in HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text Format or in HTML format in the mail store. Top of section Security Update Information Installation Platforms and Prerequisites: For information about the specific security update for your platform, click the appropriate link: * Outlook 2002 available separately and as a component of Office XP Top of section Acknowledgments Microsoft thanks the following for working with us to help protect customers: • iDefense and Jouko Pynnönen for reporting the issue described in MS04-009. Obtaining other security updates: Updates for other security issues are available from the following locations: • Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". • Updates for consumer platforms are available from the Windows Update Web site. Support: • Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. • International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources: • The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. • Microsoft Software Update Services • Microsoft Baseline Security Analyzer (MBSA) • Windows Update • Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog. • Office Update Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. Some software updates may require administrative rights following a restart of the computer. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • V1.0 (March 9, 2004): Bulletin published • V2.0 (March 10, 2004): Bulletin updated to reflect on a revised severity rating of Critical and to advise of a new client update. • V2.1 (March 10, 2004): Frequently Asked Question "What is the scope of the vulnerability?" updated. [***** End Microsoft Security Bulletin MS04-009 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-086: Red Hat Updated libxml2 Packages Fix Security Vulnerability O-087: Red Hat Updated util-linux Packages Fix Information Leak O-088: Sun passwd(1) Command Vulnerability O-089: Sun Security Vulnerability in "/usr/lib/print/conv_fix" O-090: Vulnerability in Novell Client Firewall Tray Icon O-091: Adobe Reader 5.1 XFDF Buffer Overflow Vulnerability O-092: WinZip Vulnerable to Buffer Overflow in Handling of MIME Archive Parameters O-093: Oracle9i Database Buffer Overflow Vulnerabilities O-094: Linux mremap(2) System Call Vulnerability O-095: wu-ftpd chmod and S/Key Vulnerabilities