Microsoft Security Bulletin MS00-045

Technical description:

By design, HTML mail can contain script, and among the actions such a script can take is to open a browser window that links back to the Outlook Express windows. Also by design, script in the browser window could read the HTML mail that is displayed in Outlook Express. However, a vulnerability results because the link could be made persistent. This could allow the browser window to retrieve the text of mails subsequently displayed in the preview pane, and relay it to the malicious user.

There are several significant restrictions on this vulnerability:

• Only the recipient could open the HTML mail that established the link.
• The attack would only persist until the user either closed the browser window that the HTML mail opened, or closed Outlook Express.
• The malicious user could only read mails that were displayed in the preview pane. If the preview pane feature were disabled, he could not read mails under any conditions.

The vulnerability is eliminated in Outlook Express 5.5, and customers who have installed it do not need to take any additional action. Outlook Express 5.5 is available as part of Internet Explorer 5.01 Service Pack 1, and, except when installed on Windows 2000, Internet Explorer 5.5. A patch is available for customers who prefer not to upgrade to Outlook Express 5.5.

What's this bulletin about?
Microsoft Security Bulletin MS00-045 announces the availability of a patch that eliminates a vulnerability in Microsoft® Outlook Express. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This vulnerability could allow a malicious user under very specific conditions to view, but not change, the contents of e-mails as the owner previews them. Specifically, the vulnerability could allow a script running in a browser window to have access to any e-mail that the user read via the preview pane, and would allow the script to forward the contents to the malicious user.
The vulnerability is subject to several constraints:

• The attack would need to be launched via an HTML mail that only the user could open.
• The attack would only persist until the user either closed the browser window that the HTML mail opened, or closed Outlook Express.
• The malicious user could only read mails that were displayed in the preview pane. If the preview pane feature were disabled, he could not read mails under any conditions.

What causes the vulnerability?
The vulnerability results because it is possible for an HTML e-mail, when opened, to create a browser window and link it permanently to the Outlook Express window. This would allow script running in the browser window to access the contents of any e-mail that was subsequently displayed in the Outlook Express preview pane.

Is it a security vulnerability for an HTML e-mail to open a browser window?
No, this is by design. The browser window would be opened in the Internet Zone, and be constrained by the Internet Explorer security model.

Is it a security vulnerability for an HTML e-mail to be able to link a browser window to the Outlook Express window?
No, this is by design. An HTML mail can initiate a browser window and link it back to the Outlook Express window in order to share information with it.

What is the security vulnerability here?
A link between a browser window and the Outlook Express window should not be persistent. That is, if an HTML mail opens a browser window and links it to the Outlook Express window, the link should be broken as soon as the HTML mail is closed. This vulnerability provides a way for an HTML mail to create a browser window, link it back to the Outlook Express window, and cause the link to stay intact even after the HTML mail was closed.

What would this vulnerability allow a malicious user to do?
A malicious user could exploit this vulnerability by sending an HTML mail that opened a browser window with a persistent link to the Outlook Express window. As the recipient previewed mails, the browser window could retrieve their text and send it via HTTP to the malicious user's web site.

What do you mean by "as the recipient previewed mails"?
It's important to understand that the link exists only between the browser window and the Outlook Express window. If the user opened a new mail by double-clicking on it, it would open in a new window - one that the browser window couldn't be linked to. The only time a mail's text is displayed in the Outlook Express window is when it's previewed. This means that if a user had the preview pane disabled, the vulnerability would pose no threat.

How can I select whether preview pane is enabled or not?
In the Outlook Express window, just select View, then Layout, then select or deselect "Show Preview Pane".

Would this vulnerability allow the malicious user to control Outlook Express in any way?
No. This vulnerability allows only passive eavesdropping - it does not allow the malicious user to issue any commands to the Outlook Express window. It would allow the malicious user to "look over the shoulder" of the user as he previewed e-mails, but it would not allow him to, for instance, open, delete, forward, or reply to them.

If I received an e-mail that exploited this vulnerability, would I need to open it in order to be attacked?
Yes. Keep in mind, however, that if you had enabled preview mode in Outlook Express, simply advancing to the next message would open the mail and allow the script to execute.

Would I see the browser window on my desktop?
You might. However, browser windows can be sized, and it's possible to size one that is too small to see. Regardless of the size of the window, however, the Internet Explorer icon would be visible on the Task Bar

Suppose I closed Outlook Express and then re-started it. Could my e-mails be read then?
No. Closing Outlook Express would break the link between the browser window and it. Even if you re-started Outlook Express, the script in the browser window could not re-establish the link. You would need to re-open the malicious user's HTML mail in order to be at risk again.

If I visited a malicious user's web site, could he use this vulnerability to read my e-mail?
No. If you visited a web site and it opened a new browser window, it could not link it to the Outlook Express window. The window would have to be initiated from within the Outlook Express window. Note that it's not a security vulnerability for an email to be able to open a browser window - what is a security vulnerability is the fact that the window would continue to link to the Outlook Express window even after the original HTML mail is closed.

I don't like the idea of HTML mail being able to run script. Can I prevent it from doing this?
Yes. Outlook Express lets you assign e-mails to one of the IE Security Zones. Customers who do not want HTML mail to be able to run script can disable Active Scripting in the Restricted Zone, then assign all HTML mail to be opened in that zone.
To disable Active Scripting in the Restricted Zone:

• Open Internet Explorer.
• Choose the "Tools" entry from the menu bar, then "Internet Options". Select the "General" tab.
• Click the "Restricted Sites" icon, then "Custom Level".
• In the "Security Settings" dialogue, scroll down the list of settings until you see "Scripting". Immediately below it will be "Active Scripting". Click on the "disable" button for "Active Scripting". When asked to confirm the change, answer "yes".
• Click OK to return to IE.

To assign all HTML mail to be opened in the Restricted Zone:

• Choose "Tools" option from the menu bar, then "Options". Select the "Security" tab.
• In the "Security Zones" section of the window, click on "Restricted Sites Zone". Click OK.

I use Microsoft Outlook as my email client. Could I be affected by this vulnerability?
No. Outlook is not affected by this vulnerability. However, Outlook users should still apply the patch, because the other vulnerabilities it eliminates do affect Outlook. For more information on these other vulnerabilities, see Microsoft Security Bulletins MS00-043 and MS00-046.

How can I tell if I'm affected by the vulnerability?
You are not affected by the vulnerability if any of the following are true:

• You have performed a default installation Internet Explorer 5.01 Service Pack 1 on your system.
• You have performed a default installation Internet Explorer 5.5 on your system and your system is not Windows 2000.
• You have installed the patch discussed in either Microsoft Security Bulletin MS00-043 or MS00-046.

If none of the above apply to you, you should install the patch.

What's the significance of performing a default installation of IE5.01 SP1 or IE 5.5?
A default installation of these products installs Outlook Express 5.5 as well, which is not affected by this vulnerability.

Why doesn't IE 5.5 eliminate the problem on Windows 2000?
In the specific case where IE 5.5 is installed on Windows 2000, there isn't a provision by which to install Outlook Express 5.5. Windows 2000 users can eliminate the vulnerability by either installing IE 5.01 SP1 or applying the patch.

What does the patch do?
The patch prevents a browser window from creating a persistent link to an Outlook Express window.

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.

Download locations for this patch This vulnerability can be eliminated by taking any of the following actions:

• Contacting Microsoft Product Support
• Performing a default installation of Internet Explorer 5.01 Service Pack 1.
• Performing a default installation of Internet Explorer 5.5 on any system except Windows 2000.

  Note: The patch requires IE 5.01 or IE 4.01 SP2 to install. Customers who install this patch on other versions may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q261255.

  Note: In addition to eliminating the vulnerability at issue here, the steps above also eliminate all vulnerabilities discussed in Microsoft Security Bulletins MS00-043 and MS00-046. Customers who already have taken the corrective action discussed in either of these bulletins do not need to take any additional action.