Microsoft Outlook and Outlook Web Access Source Email Address Spoofing Weakness

Bugtraq ID:	13078
Class:	Design Error
CVE:	CVE-2005-1052
Remote:	Yes
Local:	No
Published:	Apr 08 2005 12:00AM
Updated:	Jul 12 2009 12:56PM
Credit:	Discovery is credited to Sergey V. Gordeychik.
Vulnerable:	Microsoft Outlook XP + Microsoft Office XP Microsoft Outlook 2003 0 + Microsoft Office 2003 SP3 + Microsoft Office 2003 SP3 + Microsoft Office 2003 SP2 + Microsoft Office 2003 SP2 + Microsoft Office 2003 SP1 + Microsoft Office 2003 SP1 + Microsoft Office 2003 0 + Microsoft Office 2003 0 Microsoft Exchange Server 2003
Not Vulnerable:

Microsoft Outlook and Outlook Web Access Source Email Address Spoofing Weakness

Microsoft Outlook and Outlook Web Access clients are reported prone to a weakness that may allow remote attackers to send email with a spoofed address.

It is reported that this issue arises when an attacker sends an e-mail by specifying multiple source email addresses.

This issue may allow an attacker to carry out other attacks by combining this issue with social engineering and phishing attacks. An attacker may also bypass email gateways and send email to users.

Microsoft Outlook and Outlook Web Access Source Email Address Spoofing Weakness

An exploit is not required.

Microsoft Outlook and Outlook Web Access Source Email Address Spoofing Weakness

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

Microsoft Outlook and Outlook Web Access Source Email Address Spoofing Weakness

References:

• Microsoft Multiple E-Mail Client Address Spoofing Vulnerability ("iDEFENSE Labs" )