Microsoft Security Bulletin MS01-030

Technical description:

On June 06, 2001 Microsoft released the original version of this bulletin. We subsequently identified two issues that necessitated updating the patch and the bulletin on June 08, 2001:

• The vulnerability was found to affect Exchange Server 5.5. We have developed a patch that eliminates the vulnerability, and recommend that customers offering OWA services using Exchange 5.5 install it.
• A regression error was identified in the patch that was originally provided for Exchange 2000. We have corrected the error and provided an updated version of the patch. We recommend that customers who installed the original version of the Exchange 2000 patch install the updated version.

On June 12, 2001 Microsoft discovered that the updated Exchange 2000 patch contained outdated files. We have corrected the error and provided an updated version of this patch for Exchange 2000. We recommend that all customers who have downloaded the Exchange 2000 patch prior to June 12, 2001 install the updated version.

OWA is a service of Exchange 5.5 and 2000 Server that allows users to use a web browser to access their Exchange mailbox. However, a flaw exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script could take action against the user's Exchange mailbox.

An attacker could use this flaw to construct an attachment containing malicious script code. The attacker could then send the attachment in a message to the user. If the user opened the attachment in OWA, the script would execute and could take action against the user's mailbox as if it were the user, including, under certain circumstances, manipulation of messages or folders.

Mitigating factors:

• The vulnerability could only be exploited if the user were using OWA in conjunction with IE.
• The vulnerability is only exploitable by attachments that are received via OWA. In general, an attacker would have no way to determine whether a user would open an attachment using OWA rather than an Outlook client.
• An attacker's ability to exploit this vulnerability would require that she entice the user to open an attachment from an untrusted source. Best practices recommend against opening any attachment from an unknown or untrusted source.

Vulnerability identifier: CAN-2001-0340

Tested Versions:

Microsoft tested Exchange 5.5 and 2000 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.

Why was this bulletin updated?
After releasing the updated version of this bulletin on June 08, 2001, we discovered that the updated patch for Exchange 2000 contained outdated files that could cause performance problems on the server in certain instances. We have eliminated the error and provided an updated patch.
This bulletin was originally updated because shortly after releasing the original version of this bulletin on June 06, 2001, we discovered two problems that necessitated updating it:

• Contrary to the original version of the bulletin, Exchange 5.5 is affected by the vulnerability. We have developed a patch for Exchange 5.5.
• The patch that was originally provided for Exchange 2000 contained a regression error that could cause performance problems on the server. We have eliminated the error and provided an updated patch.

What's the scope of the vulnerability?
This vulnerability could enable an attacker to run script of his choice against a user's Exchange mailbox by embedding script in any attachment to a mail message. In order for the attack to be successful, the attachment would have to be viewed using OWA. The attachment need not be an HTML attachment. When activated, such a malicious attachment would be capable of taking any action that the user himself could take on the mailbox, including adding, changing, or deleting data in the mailbox.
The vulnerability only affects attachments received via Outlook Web Access. In order for an attacker to successfully attack a user via this vulnerability, she would need to be able to persuade the user to open a specially crafted attachment to a mail message using Outlook Web Access. As a general security practice, users should only open attachments from a trusted source.

What causes the vulnerability?
If a mail message is read in OWA and contains an attachment, and that attachment contains HTML content, a flaw in the interaction between OWA and Internet Explorer causes the browser to render the HTML in the namespace of the server. If the HTML contains scripting, that script may be executed without warning.

What is Outlook Web Access (OWA)?
OWA is a feature that first shipped with Exchange 5.0. When OWA is installed and configured, users can use a web browser as their mail client to access Exchange. OWA is installed by default with Exchange 2000 Server.

What's the problem with how OWA handles attachments when using IE?
By design, when a user double-clicks on a mail attachment in OWA the user should see a dialogue asking whether to save the attachment or to open it. If the user chooses to open it, the file should be handed off to the Operating System and opened using the application that's appropriate for the file type.
The vulnerability results because the dialogue isn't displayed and the file is instead automatically opened. Moreover, the file is opened using IE, which will parse any script it finds in the file.

Are all versions of OWA are vulnerable?
No. The vulnerability only affects OWA in Exchange 5.5 and Exchange 2000.

Does this vulnerability affect Outlook or Outlook Express?
No. The vulnerability only affects Outlook Web Access. It does not affect any of the Outlook or Outlook Express clients.

Does this vulnerability affect all browsers using OWA?
No, the issue only occurs when using IE with OWA. No other browsers are affected.

What would this vulnerability enable an attacker to do?
The attachment would be able to take any action that the user could take on his Exchange mailbox. This could include manipulating messages or folders with complete control.

How might an attacker use this vulnerability?
To exploit this vulnerability, an attacker would have to construct a specially crafted attachment and send it to the intended victim in a mail message. The intended victim would have to use OWA to open the mail message and then the attachment. It's important to note that if the user were to open the attachment in the Outlook client, the attack would fail. Because the attack would require a user to use a specific mail client, a significant degree of social engineering would be required to successfully exploit this vulnerability.

Is there any way to exploit this vulnerability just by causing the user to open a mail message?
No. The vulnerability affects attachments only, not mail messages. It's important to note that OWA strips potentially dangerous content from mail messages.

What does the patch do?
The patch eliminates the vulnerability by changing the way that OWA handles attachments After the patch is applied, OWA sends information that causes IE to prompt the user to download attached documents before they are opened. The user can then save the document locally, or cancel the download.

What Exchange Servers should I install the patch on?
This patch is intended only for Exchange 5.5 and Exchange 2000 servers that are running OWA. You do not need to install this patch on Exchange Servers that are not running OWA.

I've installed earlier versions of the Exchange 2000 patch, what's the best way to install the updated patch?
You can install the updated patch by performing a normal install of the patch. You do not need to uninstall previous versions of the Exchange 2000 patch to update your system.

Download locations for this patch

• Microsoft Exchange Server 5.5:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=91F3F371-954E-4915-9E76-C07FC9C5A0DD&displaylang=en

• Microsoft Exchange 2000 Server:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=38B69C3E-7EF8-4112-9FCB-B88294E6F23D&displaylang=en