Why is Microsoft re-releasing this bulletin?
The original version of the bulletin advised customers of a workaround procedure that could be used while a patch was under development. We have now completed the patch, and have re-released this bulletin to advise customers of its availability.
What's the scope of this vulnerability?
The scope of this vulnerabilty would vary significantly depending on the version of Outlook the user is running. If exploited against a user running Outlook 2002, it could enable an attacker to read or delete mail, change calendar or contact information, or take any other action possible though Outlook 2002, including running code on the user's machine. If exploited against a user running Outlook 2000 or 98, it could enable an attacker to change the user's display options in Outlook, but nothing more.
In order to exploit the vulnerability, the attacker would need to either lure a user to a particular web site or send a specially-designed e-mail to the user. In the first scenario, the attacker couldn't compel the user to visit the site. In the second scenario, a security update that has been available for over a year would fully protect the user's system.
What causes the vulnerability?
The vulnerability results because an ActiveX control installed by Outlook 2002 exposes an unsafe function that could enable an attacker to run any desired code on another user's system.
What's ActiveX?
ActiveX is a technology that enables developers to write small programs called controls, that can be used by web pages, Visual Basic programs, and other applications. An ActiveX control performs a small number of related tasks, and can be used as building blocks in much more complex programs.
Developers can build custom ActiveX controls; if this is done, the controls must be distributed to each user. However, Microsoft and many third-party software vendors ship ActiveX controls with their products, to enable these products to be easily extended. The vulnerability in this case involves an ActiveX control that installs by default as part of Outlook 2002, but also affects Outlook 98 and 2000.
What is the ActiveX control at issue here?
The control is called the Microsoft Outlook View Control. Its purpose is to allow information from Outlook to be displayed, usually within a web browser. For instance, using this control, a web page could show a user the contents of her Outlook inbox.
What's wrong with the control?
The control provides a function that could enable the web page to do more than simply display information for the user - it could enable it to take action within Outlook, including manipulating any of the user's Outlook data, such as mail, calendar information, contacts, and so forth.
What would this enable the attacker to do?
It would depend on the version of Outlook the user was running. An attacker who successfully exploited this vulnerability against an Outlook 2002 user could take virtually any action on the user's system. Examples include creating, deleting or changing mail, adding new appointments, modifying contacts, and potentially up to running arbitrary code on the user's machine.
In contrast, an attacker who exploited the vulnerability against a user running Outlook 2000 or 98 wouldn't be able to take any serious action. The vulnerability would only allow the attacker to change how Outlook folders appear, but nothing more. It would provide no opportunity for the attacker to read, change or delete any data on the user's machine, or to run code on it.
How could the attacker exploit the vulnerability?
The attacker would need to create a web page that, when opened, would invoke the control and misuse the function we discussed above. The attacker would likely use either of two strategies to cause another user to open the page.
- He could host the page on a web site he controlled. If a user visited the site and opened the web page, the page would attempt to invoke the control.
- He could send the user a link to a malicious web page via e-mail. If the recipient clicked on the link, it would attempt to invoke the control on the malicious web site.
In both of the scenarios, you said the web page would attempt to invoke the control. What's the significance of the word "attempt"?
You can control whether web pages are allowed to invoke ActiveX controls. If you've configured your system to prevent this, the web page couldn't invoke the control, and the attacker couldn't exploit the vulnerability.
In the original version of the bulletin, we recommended that customers protect their systems against the vulnerability by temporarily reconfiguring their systems to prevent web pages from invoking ActiveX controls. However, a patch is now available that eliminates the vulnerability altogether, and customers who apply it can safely return their systems to their previous configurations if they wish.
I'm a system administrator, and would like to enable ActiveX controls on all my users' machines after installing the patch. Can I do this?
Yes. The procedure to use depends on the operating system you're using:
Windows 2000 networks using Active Directory. You can use Group Policy to automatically push the settings to all users the next time they log on. To do this, follow these steps:
- Create a Group Policy object at the Site, Domain or Organizational Unit level.
- Choose User Configuration | Windows Settings | Internet Explorer Maintenance | Security | Security Zones and Content Maintenance.
- Click the radio button titled "Import the current security zones settings", then click on "Modify Settings"
- Click on the icon labeled "Internet", then click the button labeled "Custom Level".
- Scroll down the list of settings until you find the one titled "Run ActiveX controls and plug-ins". Select "Enable", then click OK twice to return to the Group Policy dialogue.
All other operating systems. Use the IE Administration Kit's Profile Manager to create an update package with the desired security settings. Once this has been done, users can either use a URL or an AutoConfig URL (which would have been specified during the initial IE setup) to automatically update the settings. For more information on doing this, see http://www.microsoft.com/technet/prodtechnol/ie/ieak/.
I previously followed the workaround and disabled ActiveX control in the Internet Zone. I've now installed the patch. How do I undo the workaround?
To re-enable ActiveX controls in the Internet Zone, follow these instructions:
- In Internet Explorer, choose Tools, then Options.
- Select the Security tab
- Click on the icon labeled "Internet", then click the button labeled "Custom Level".
- Scroll down the list of settings until you find the one titled "Run ActiveX controls and plug-ins". Select "Enable", then click OK to return to the Options page.
- Click OK again to close the Options page.
If you chose to disable ActiveX in either the Intranet or Trusted Sites Zones and want to re-enable the setting, follow the instructions above but in Step 3 choose the icon labeled "Intranet" or "Trusted Sites", as appropriate.
I found that I liked running IE with ActiveX controls disabled. Do I have to re-enable the setting?
No. If you like the new settings, there's no reason why you must change them. However, we still recommend applying the patch, just in case you decide at some future point to re-enabled ActiveX controls.
How great a risk does the e-mail-borne scenario above pose?
If you've installed the Outlook E-mail Security Update, you're at no risk from the e-mail-borne scenario, as the Update causes HTML e-mail to be handled in the Restricted Sites Zone, where ActiveX controls are disabled by default. The Update is included by default in Outlook 2002.
Just the same, we recommend that even customers using the Update or Outlook 2002 download and install the patch, to protect against the web-based scenario.
I'm running Outlook 98, but there isn't a patch for it. Why is this?
Outlook 98 is no longer supported. We recommend that customers using Outlook 98 either upgrade to a more recent version or continue operating with ActiveX controls disabled in the Internet Zone.
Doesn't this leave Outlook 98 users at risk?
No. Keep in mind that the only thing an attacker could do via this vulnerability against an Outlook 98 user would be to change the user's Outlook folder view. It couldn't be used to compromise data or control of the system in any way. In addition -- and in contrast to Outlook 2002 and 2000 -- the control at issue here doesn't ship as part of Outlook 98. The attacker would have to convince the user to download and install the control, and even then could only use it for an annoyance attack.
The Patch Availability section lists something called an Administrative Patch. What is this?
The administrative patch is a version of the patch that's packaged to allow it to be deployed throughout a network by an administrator. Microsoft Knowledge Base article Q303825 discusses how to deploy the administrative patch for Outlook 2002.
