Microsoft Outlook / Outlook Express Cache Bypass Vulnerability
BID:1501
Info
Microsoft Outlook / Outlook Express Cache Bypass Vulnerability
| Bugtraq ID: | 1501 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jul 20 2000 12:00AM |
| Updated: | Jul 20 2000 12:00AM |
| Credit: | Publicized in a Microsoft Security Bulletin (MS00-046) on July 20, 2000. |
| Vulnerable: |
Microsoft Outlook 98 0 Microsoft Outlook 97 0 Microsoft Outlook 2000 0 |
| Not Vulnerable: | |
Discussion
Microsoft Outlook / Outlook Express Cache Bypass Vulnerability
The Internet Explorer Security Architecture (which handles all incoming HTML processing, via email or web) controls the cache of Outlook / Outlook Express. Under normal circumstances, all incoming HTML email with inline data should be downloaded to the cache and opened with an Internet Zone security setting. Through certain methods, a user could send a HTML email with an inline file to a remote system which would be downloaded outside of Microsoft Outlook / Outlook Express' cache to a known location with the security setting of Local Computer Zone which has considerably higher privileges than Internet Zone.
If the email recipient were misled to open the file, the remote user would be able to gain read access on the system. This vulnerability could lead to the placement of executables on the recipient's system if coupled with other types of attacks.
The Internet Explorer Security Architecture (which handles all incoming HTML processing, via email or web) controls the cache of Outlook / Outlook Express. Under normal circumstances, all incoming HTML email with inline data should be downloaded to the cache and opened with an Internet Zone security setting. Through certain methods, a user could send a HTML email with an inline file to a remote system which would be downloaded outside of Microsoft Outlook / Outlook Express' cache to a known location with the security setting of Local Computer Zone which has considerably higher privileges than Internet Zone.
If the email recipient were misled to open the file, the remote user would be able to gain read access on the system. This vulnerability could lead to the placement of executables on the recipient's system if coupled with other types of attacks.
Exploit / POC
Microsoft Outlook / Outlook Express Cache Bypass Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Microsoft Outlook / Outlook Express Cache Bypass Vulnerability
Solution:
Microsoft has released a patch for Outlook Express 5.01 which will eliminate this vulnerability. The patch requires Internet Explorer 4.01 Service Pack 2 or Internet Explorer 5.01 to install. Customers who install this patch on versions other than these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. The patch can be downloaded from the following URL:
http://www.microsoft.com/windows/ie/download/critical/patch9.htm
If a patch is not available for the version of Outlook or Outlook Express that you are running, it is recommended to take either of the following actions:
By installing Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5 on any system other than Windows 2000, users will not be affected by this vulnerability. In addition, users who have configured Outlook to use MAPI only are not affected by the vulnerability, regardless of what version they are using.
The vulnerability can be eliminated by upgrading to either of the following using the default installation:
Internet Explorer 5.01 Service Pack 1 (on any system)
http://www.microsoft.com/Windows/ie/download/ie501sp1.htm
Internet Explorer 5.5 (on any system except for Windows 2000)
http://www.microsoft.com/windows/ie/download/ie55.htm
Non-default installations will also rectify the vulnerability as long as an installation method that installs upgraded Outlook Express components is chosen. An upgrade to Internet Explorer 5.5 on a Windows 2000 machine will not eliminate the vulnerability because it will not install upgraded Outlook Express components. Windows 2000 users should either install Windows 2000 Service Pack 1 (which will install both Internet Explorer 5.5 and upgrade the Outlook Express components at the same time) or uninstall Internet Explorer 5.5, install Internet Explorer 5.01 and apply Internet Explorer 5.01 Service Pack 1.
Solution:
Microsoft has released a patch for Outlook Express 5.01 which will eliminate this vulnerability. The patch requires Internet Explorer 4.01 Service Pack 2 or Internet Explorer 5.01 to install. Customers who install this patch on versions other than these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. The patch can be downloaded from the following URL:
http://www.microsoft.com/windows/ie/download/critical/patch9.htm
If a patch is not available for the version of Outlook or Outlook Express that you are running, it is recommended to take either of the following actions:
By installing Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5 on any system other than Windows 2000, users will not be affected by this vulnerability. In addition, users who have configured Outlook to use MAPI only are not affected by the vulnerability, regardless of what version they are using.
The vulnerability can be eliminated by upgrading to either of the following using the default installation:
Internet Explorer 5.01 Service Pack 1 (on any system)
http://www.microsoft.com/Windows/ie/download/ie501sp1.htm
Internet Explorer 5.5 (on any system except for Windows 2000)
http://www.microsoft.com/windows/ie/download/ie55.htm
Non-default installations will also rectify the vulnerability as long as an installation method that installs upgraded Outlook Express components is chosen. An upgrade to Internet Explorer 5.5 on a Windows 2000 machine will not eliminate the vulnerability because it will not install upgraded Outlook Express components. Windows 2000 users should either install Windows 2000 Service Pack 1 (which will install both Internet Explorer 5.5 and upgrade the Outlook Express components at the same time) or uninstall Internet Explorer 5.5, install Internet Explorer 5.01 and apply Internet Explorer 5.01 Service Pack 1.
References
Microsoft Outlook / Outlook Express Cache Bypass Vulnerability
References:
References: