• Article

Security Bulletin

Microsoft Security Bulletin MS01-030 - Critical

Incorrect Attachment Handling in Exchange OWA Can Execute Script

Published: June 06, 2001 | Updated: June 13, 2003

Version: 3.1

Originally posted: June 06, 2001
Updated: June 13, 2003

Summary

Who should read this bulletin:
System administrators who have deployed Outlook Web Access using Microsoft® Exchange 5.5 Server or Exchange 2000 Server.

Impact of vulnerability:
Run code of attacker's choice.

Recommendation:
Customers with OWA implementations should install the patch immediately.

Affected Software:

  • Microsoft Exchange 5.5 Server Outlook Web Access
  • Microsoft Exchange 2000 Server Outlook Web Access

General Information

Technical details

Technical description:

On June 06, 2001 Microsoft released the original version of this bulletin. We subsequently identified two issues that necessitated updating the patch and the bulletin on June 08, 2001:

  • The vulnerability was found to affect Exchange Server 5.5. We have developed a patch that eliminates the vulnerability, and recommend that customers offering OWA services using Exchange 5.5 install it.
  • A regression error was identified in the patch that was originally provided for Exchange 2000. We have corrected the error and provided an updated version of the patch. We recommend that customers who installed the original version of the Exchange 2000 patch install the updated version.

On June 12, 2001 Microsoft discovered that the updated Exchange 2000 patch contained outdated files. We have corrected the error and provided an updated version of this patch for Exchange 2000. We recommend that all customers who have downloaded the Exchange 2000 patch prior to June 12, 2001 install the updated version.

OWA is a service of Exchange 5.5 and 2000 Server that allows users to use a web browser to access their Exchange mailbox. However, a flaw exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script could take action against the user's Exchange mailbox.

An attacker could use this flaw to construct an attachment containing malicious script code. The attacker could then send the attachment in a message to the user. If the user opened the attachment in OWA, the script would execute and could take action against the user's mailbox as if it were the user, including, under certain circumstances, manipulation of messages or folders.

Mitigating factors:

  • The vulnerability could only be exploited if the user were using OWA in conjunction with IE.
  • The vulnerability is only exploitable by attachments that are received via OWA. In general, an attacker would have no way to determine whether a user would open an attachment using OWA rather than an Outlook client.
  • An attacker's ability to exploit this vulnerability would require that she entice the user to open an attachment from an untrusted source. Best practices recommend against opening any attachment from an unknown or untrusted source.

Vulnerability identifier: CAN-2001-0340

Tested Versions:

Microsoft tested Exchange 5.5 and 2000 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.

Frequently asked questions

Why was this bulletin updated?
After releasing the updated version of this bulletin on June 08, 2001, we discovered that the updated patch for Exchange 2000 contained outdated files that could cause performance problems on the server in certain instances. We have eliminated the error and provided an updated patch. This bulletin was originally updated because shortly after releasing the original version of this bulletin on June 06, 2001, we discovered two problems that necessitated updating it:

  • Contrary to the original version of the bulletin, Exchange 5.5 is affected by the vulnerability. We have developed a patch for Exchange 5.5.
  • The patch that was originally provided for Exchange 2000 contained a regression error that could cause performance problems on the server. We have eliminated the error and provided an updated patch.

What's the scope of the vulnerability?
This vulnerability could enable an attacker to run script of his choice against a user's Exchange mailbox by embedding script in any attachment to a mail message. In order for the attack to be successful, the attachment would have to be viewed using OWA. The attachment need not be an HTML attachment. When activated, such a malicious attachment would be capable of taking any action that the user himself could take on the mailbox, including adding, changing, or deleting data in the mailbox. The vulnerability only affects attachments received via Outlook Web Access. In order for an attacker to successfully attack a user via this vulnerability, she would need to be able to persuade the user to open a specially crafted attachment to a mail message using Outlook Web Access. As a general security practice, users should only open attachments from a trusted source.

What causes the vulnerability?
If a mail message is read in OWA and contains an attachment, and that attachment contains HTML content, a flaw in the interaction between OWA and Internet Explorer causes the browser to render the HTML in the namespace of the server. If the HTML contains scripting, that script may be executed without warning.

What is Outlook Web Access (OWA)?
OWA is a feature that first shipped with Exchange 5.0. When OWA is installed and configured, users can use a web browser as their mail client to access Exchange. OWA is installed by default with Exchange 2000 Server.

What's the problem with how OWA handles attachments when using IE?
By design, when a user double-clicks on a mail attachment in OWA the user should see a dialogue asking whether to save the attachment or to open it. If the user chooses to open it, the file should be handed off to the Operating System and opened using the application that's appropriate for the file type. The vulnerability results because the dialogue isn't displayed and the file is instead automatically opened. Moreover, the file is opened using IE, which will parse any script it finds in the file.

Are all versions of OWA are vulnerable?
No. The vulnerability only affects OWA in Exchange 5.5 and Exchange 2000.

Does this vulnerability affect Outlook or Outlook Express?
No. The vulnerability only affects Outlook Web Access. It does not affect any of the Outlook or Outlook Express clients.

Does this vulnerability affect all browsers using OWA?
No, the issue only occurs when using IE with OWA. No other browsers are affected.

What would this vulnerability enable an attacker to do?
The attachment would be able to take any action that the user could take on his Exchange mailbox. This could include manipulating messages or folders with complete control.

How might an attacker use this vulnerability?
To exploit this vulnerability, an attacker would have to construct a specially crafted attachment and send it to the intended victim in a mail message. The intended victim would have to use OWA to open the mail message and then the attachment. It's important to note that if the user were to open the attachment in the Outlook client, the attack would fail. Because the attack would require a user to use a specific mail client, a significant degree of social engineering would be required to successfully exploit this vulnerability.

Is there any way to exploit this vulnerability just by causing the user to open a mail message?
No. The vulnerability affects attachments only, not mail messages. It's important to note that OWA strips potentially dangerous content from mail messages.

What does the patch do?
The patch eliminates the vulnerability by changing the way that OWA handles attachments After the patch is applied, OWA sends information that causes IE to prompt the user to download attached documents before they are opened. The user can then save the document locally, or cancel the download.

What Exchange Servers should I install the patch on?
This patch is intended only for Exchange 5.5 and Exchange 2000 servers that are running OWA. You do not need to install this patch on Exchange Servers that are not running OWA.

I've installed earlier versions of the Exchange 2000 patch, what's the best way to install the updated patch?
You can install the updated patch by performing a normal install of the patch. You do not need to uninstall previous versions of the Exchange 2000 patch to update your system.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Exchange 2000 Gold and Exchange 5.5 Service Pack 4.

Inclusion in future service packs:

The fix for this issue will be included in Exchange 2000 Service Pack 1.

Superseded patches:

None.

Verifying patch installation:

To verify that the patch has been installed on the machine, confirm that the files listed in the knowledge base article have been installed.

Caveats:

In some cases, Internet Explorer will prompt users twice to open an attachment once this fix is applied. To work around this issue, the attachment may be saved to a folder then opened from that location.

Localization:

  • The Exchange 5.5 patch can be installed on any language platform.
  • Localized versions of the Exchange 2000 patch are available from the Microsoft Download Center.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks Joao Gouveia for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article Q299535 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (June 06, 2001): Bulletin Created.
  • V2.0 (June 08, 2001): Bulletin updated to advise customers that Exchange 5.5 is also affected by the vulnerability and that the version of the Exchange 2000 patch released on June 06, 2001, contained a regression error that has been corrected.
  • V3.0 (June 13, 2001): Bulletin updated to advise customers that the updated version of the Exchange 2000 patch released on June 08, 2001, contained outdated files that has been corrected.
  • V3.1 (June 13, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00