Bugtraq mailing list archives

Microsoft Security Bulletin (MS00-045)

From: secnotif () MICROSOFT COM (Microsoft Product Security)
Date: Thu, 20 Jul 2000 18:42:04 -0700


The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

Microsoft Security Bulletin (MS00-045)
- --------------------------------------

Patch Available for "Persistent Mail-Browser Link" Vulnerability

Originally Posted: July 20, 2000

Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability affecting Microsoft(r) Outlook Express. The
vulnerability could allow a malicious user to send an email that
would "read over the shoulder" of the recipient as he previews
subsequent emails in Outlook Express.

A patch is available that eliminates this vulnerability as well as
those discussed in Microsoft Security Bulletins MS00-043 and
MS00-046. Customers who already have taken the corrective action
discussed in either of these bulletins do not need to take any
additional action.

Frequently asked questions regarding this vulnerability and the
patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-045.asp

Issue
=====
By design, HTML mail can contain script, and among the actions such a
script can take is to open a browser window that links back to the
Outlook Express windows. Also by design, script in the browser window
could read the HTML mail that is displayed in Outlook Express.
However, a vulnerability results because the link could be made
persistent. This could allow the browser window to retrieve the text
of mails subsequently displayed in the preview pane, and relay it to
the malicious user.
There are several significant restrictions on this vulnerability:
 - Only the recipient could open the HTML mail that established
   the link.
 - The attack would only persist until the user either closed
   the browser window that the HTML mail opened, or closed
   Outlook Express.
 - The malicious user could only read mails that were displayed
   in the preview pane. If the preview pane feature were
   disabled, he could not read mails under any conditions.

The vulnerability is eliminated in Outlook Express 5.5, and customers
who have installed it do not need to take any additional action.
Outlook Express 5.5 is available as part of Internet Explorer 5.01
Service Pack 1, and, except when installed on Windows 2000, Internet
Explorer 5.5. A patch is available for customers who prefer not to
upgrade to Outlook Express 5.5.

Affected Software Versions
==========================
 - Microsoft Outlook Express 4.0
 - Microsoft Outlook Express 4.01
 - Microsoft Outlook Express 5.0
 - Microsoft Outlook Express 5.01

Patch Availability
==================
This vulnerability can be eliminated by taking any of the following
actions:
 - Installing the patch available at
   http://www.microsoft.com/windows/ie/download/critical/patch9.htm
 - Performing a default installation of Internet Explorer 5.01
   Service Pack 1,
   http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.
 - Performing a default installation of Internet Explorer 5.5
   (http://www.microsoft.com/windows/ie/download/ie55.htm)
   on any system except Windows 2000.

Note: The patch requires IE 4.01 SP2
(http://www.microsoft.com/windows/ie/download/ie401sp2.htm) or
IE 5.01 (http://www.microsoft.com/windows/ie/download/ie501.htm)
to install. Customers who install this patch on versions other
than these may receive a message reading "This update does not
need to be installed on this system". This message is incorrect.
More information is available in KB article Q261255.

Note: In addition to eliminating the vulnerability at issue
here, the steps above also eliminate all vulnerabilities
discussed in Microsoft Security Bulletins MS00-043
(http://www.microsoft.com/technet/security/bulletin/MS00-043.asp)
and MS00-046
(http://www.microsoft.com/technet/security/bulletin/MS00-046.asp).
Customers who already have taken the corrective action discussed
in either of these bulletins do not need to take any additional
action.

Note: Additional security patches are available at the Microsoft
Download Center (http://www.microsoft.com/downloads).

More Information
================
Please see the following references for more information related to
this issue.
 - Frequently Asked Questions: Microsoft Security Bulletin MS00-045,
   http://www.microsoft.com/technet/security/bulletin/fq00-045.asp
 - Microsoft Knowledge Base article Q261255 discusses this
   vulnerability and will be available soon.
 - Microsoft TechNet Security web site,
   http://www.microsoft.com/technet/security/default.asp

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Revisions
=========
 - June 20, 2000: Bulletin Created.

- ------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

Last Updated July 20, 2000

(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOXeqTo0ZSRQxA/UrAQEXpgf+KXXLTGkY1vx5cmf/PAWm2CzDOqmyxcke
rleJIaT2dXmSJ2YDBePWkz8IIlWGQWSg6+t1/mJl59F/AtRWC+5ig+dgU7N3je3C
UIeqp/sJY9tGDJ6z8NmoHMmvZWSwKe8cZTVqkQEaO3YJ6DAu+2LI2Mbw1FQLwESN
Pw1d4Tp9OWD8X5UElggo3LjwlBMkuOBDnsD5ONESRvYQvTh/tOkL3Bbfuj9NblTX
0amDX8CClsLl0+m9tzFZ99iyB3zvV/Cmj7saGacZtonRTfoRHQjsIQ+iQe6AUlzl
FIik/dQeNHda1xJKY1/ixaNQ+UPKjlPceLgKwFK6oQXicqOsMJABoA==
=HZyG
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

Current thread:

Cobalt RaQ 3 security hole? Chad Day (Jul 18)
- Re: Cobalt RaQ 3 security hole? Joshua Ellis (Jul 20)
  - Re: Cobalt RaQ 3 security hole? Brian Behlendorf (Jul 21)
- Microsoft Security Bulletin (MS00-045) Microsoft Product Security (Jul 20)
- [ANNOUNCE] INN 2.2.3 available patrick () PINE NL (Jul 21)
- Re: Cobalt RaQ 3 security hole? Francis [loaded.net] (Jul 21)
  - Re: Cobalt RaQ 3 security hole? Kurt Seifried (Jul 21)
    - Re: Cobalt RaQ 3 security hole? Peter W (Jul 21)
    - Re: Cobalt RaQ 3 security hole? Edward S. Marshall (Jul 24)
    - Re: Cobalt RaQ 3 security hole? Wichert Akkerman (Jul 22)
- Sendmail filter rule to stop Outlook exploit Koos van den Hout (Jul 21)
- <Possible follow-ups>
- Re: Cobalt RaQ 3 security hole? Forrest J. Cavalier III (Jul 25)