Microsoft Security Bulletin MS02-021

E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward (Q321804)

Originally posted: April 25, 2002
Updated: February 28th, 2003

Summary

Who should read this bulletin:
Users of Microsoft® Outlook 2000 or Outlook 2002

Impact of vulnerability:
Run Code of Attacker's Choice

Maximum Severity Rating:
Moderate

Recommendation:
Customers using WordMail should apply the patch immediately

Affected Software:

Microsoft Outlook 2000
Microsoft Outlook 2002

General Information

Technical details

Technical description:

Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from an attacker.

The vulnerability results from a difference in the security settings that are applied when displaying a mail versus editing one. When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disallow scripts from being run. However, if the user replies to or forwards a mail message and has selected Word as the e-mail editor, Outlook opens the mail and puts the Word editor into a mode for creating e-mail messages. Scripts are not blocked in this mode.

An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take.

Mitigating factors:

The vulnerability only affects Outlook users who use Word as their e-mail editor.
Users who have enabled the feature introduced in Office XP SP1 to read HTML mail as plain text are not vulnerable.
For an attacker to successfully exploit this vulnerability, the user would need to reply to or forward the malicious e-mail. Simply reading it would not enable the scripts to run, and the user could delete the mail without risk.

Severity Rating:

	Internet Servers	Intranet Servers	Client Systems
Outlook 2000	None	None	Moderate
Outlook 2002	None	None	Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The e-mail recipient must be using Word as their e-mail editor and choose to reply to or forward a specially malformed HTML e-mail received from an attacker.

Vulnerability identifier: CAN-2002-1056

Tested Versions:

Microsoft tested Outlook 2000 and Outlook 2002 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a vulnerability that could allow an attacker to run script of his choice on the user's system, via an HTML e-mail. Such a script could take action on the system as though it was the user.
An attacker would only be able to exploit this vulnerability if the recipient has Word configured as the e-mail editor and the recipient chooses to reply to or forward the e-mail.
The attacker's actions would be limited by any restrictions which govern the user's actions. Thus, in an environment where accounts adhere to the rule of least privilege, the attacker might be significantly limited in the actions his program could take.

What causes the vulnerability?
The vulnerability results because of a flaw in how the WordMail editor handles scripting contained in HTML when an e-mail message is replied to or forwarded. In certain circumstances, the scripting is handled in an unsafe manner and could run without warning the user.

What is WordMail?
WordMail is another way of saying that you have enabled Word as your e-mail editor. WordMail allows you to create new e-mail messages using most of the features found in Word, such as formatting, AutoText and Check Spelling as You Type.

How does WordMail handle HTML e-mail?
WordMail is used for composing, replying to, or forwarding e-mail, including HTML e-mail

What's wrong with how WordMail handles HTML e-mail in replies or forwards?
The problem results because e-mails are handled differently when read than when replied to or forwarded. When you receive and view an HTML e-mail, the message is subject to the Internet Explorer security zone settings, which are honored by Outlook. Scripts are not run because of the Internet Explorer security zones.
When you reply to an e-mail or forward the message, the new message is in the same format as the message you received. A reply or forward has been treated as being the same as creating a message, which means Word is in a less-restrictive creation mode that doesn't block scripts, so the scripts could be run.

How might an attacker exploit this vulnerability?
An attacker could create an HTML e-mail containing script, then send it to another user. If the recipient is using Outlook 2000 or Outlook 2002 and chooses to reply to or forward the attacker's HTML e-mail using WordMail, the script could then be run. The script would have access to the user's local system resources and can execute with the same privileges as the user.

How would the attacker know whether the user was using WordMail?
The attacker has no way to discover remotely if a recipient is using WordMail.

Does the vulnerability provide any way for the attacker to force the user to reply to or forward the mail?
No, the user must choose to reply to or forward the e-mail.

Is it possible to craft an HTML e-mail message like this by accident?
No, it would require very specific, detailed knowledge and such a message would have to be specifically constructed with malicious intent.

What can I do to protect myself against this vulnerability?
The best way to protect yourself is to apply the patch to systems running Outlook 2000 or Outlook 2002.

Are there any other steps I can take to protect myself?
Customers who have enabled a new feature feature added in Office XP SP-1 that lets you read all non-digitally-signed e-mail or non-encrypted e-mail in plain text format are protected against attempts to exploit this vulnerability.
The KnowledgeBase article Q307594 describes how to enable this feature.
However, you should still apply the patch in case you disable the read as plain text option in the future.

What does the patch do?
The patch eliminates the vulnerability by having Word handle all forwards and replies in Design mode, which will not allow scripts to be run.

Patch availability

Other information:

Support:

Microsoft Knowledge Base article Q321804 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (April 25, 2002): Bulletin Created.
V1.1 (February 28, 2003): Updated download links to Windows Update.