Microsoft Security Bulletin MS04-009

Technical description:

Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action.

In addition, Microsoft is making available an additional "client update" for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section.

A security vulnerability exists within Outlook 2002 that could allow Internet Explorer to execute script code in the Local Machine zone on an affected system. The parsing of specially crafted mailto URLs by Outlook 2002 causes this vulnerability. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page.

The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who successfully exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system. This code would run in the security context of the currently logged-on user. Outlook 2002 is available as a separate product and is also included as part of Office XP.

Mitigating factors:

• Users who read e-mail messages in plain text format in are at less risk from the HTML e-mail attack vector as they would need to click on a link in an e-mail message to be affected.
• If an attacker exploited this vulnerability, the attacker would gain only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges.

Severity Rating:

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2004-0121

Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below.

Do not use the "Outlook Today" folder home page in Outlook 2002

You can help protect against this vulnerability by turning off the "Outlook today" folder home page in Outlook 2002.

1. In the "Folder List" window of Outlook, right-click on "Outlook Today" or "Mailbox—[User Name]"
2. Select Properties for "Outlook Today" or "Mailbox—[User Name]"
3. Select "Home Page" tab
4. Uncheck "Show home page by default for this folder"
5. Repeat for all other "Folder List" items labeled "Outlook Today" or "Mailbox—[User Name]"

Impact of Workaround:

The "Outlook Today" folder home page would no longer be available.

If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector

Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-digitally-signed e-mail messages or non-encrypted e-mail messages in plain text only.

Digitally-signed e-mail messages and encrypted e-mail messages are not affected by the setting and may be read in their original formats.

See Microsoft Knowledge Base Article 307594 for information about how to enable this setting in Outlook 2002.

See Microsoft Knowledge Base Article 291387for information about how to enable this setting in Outlook Express 6.0

Impact of Workaround:

E-mail that is viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. Additionally:

• The changes are applied to the preview pane and to open messages.
• Pictures become attachments to avoid loss of message content.
• Because the message is still in Rich Text Format or in HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text Format or in HTML format in the mail store.

Why is Microsoft re-issuing this bulletin
Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action.

In addition, Microsoft is making available an additional "client update" for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section.

What is the scope of the vulnerability?
A privilege elevation vulnerability exists within Outlook 2002, and its handling of mailto URLs, that could allow Internet Explorer to execute script in the Local Machine Zone on an affected system. Outlook 2002 is available as a separate product and is also included as part of Office XP. An attacker who successfully exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system.

What causes the vulnerability?
The vulnerability is caused by the way a mailto URL is interpreted by Outlook 2002. By creating a specially formatted mailto URL it is possible to get Outlook 2002 to interpret the URL in a manner that could allow code execution.

What is a mailto URL?
The mailto URL scheme is defined in RFC 2368. The RFC states that "The mailto URL scheme is used to designate the Internet mailing address of an individual or service. In its simplest form, a mailto URL contains an Internet mail address. For greater functionality, because interaction with some resources may require message headers or message bodies to be specified as well as the mail address, the mailto URL scheme is extended to allow setting mail header fields and the message body."

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause Internet Explorer to execute script in the Local Machine Zone on an affected system. An attacker who exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system.

How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message.

What systems are primarily at risk from the vulnerability?
Users who use Outlook 2002 as their default e-mail client are primarily at risk from this vulnerability.

Is Office 2000 or Office 2003 affected by this vulnerability?
No. These versions have tested and have been found to not be affected by this vulnerability.

Are any versions of Outlook Express affected by this vulnerability?
No.  However, if Outlook 2002 is configured as the default e-mail reader on that system, reading a malicious HTML e-mail message with any version of Outlook Express could allow the malformed mailto URL to be passed to Outlook 2002.  For Outlook Express 6 Service Pack 1 or greater, reading e-mail message in plain text can be used as a work around for this type of attack.  For more information please see the Workarounds section in this document.

What does the update do?
The update modifies the way that the mailto URL is processed by Outlook 2002.

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, click the appropriate link: