Security Bulletin

Microsoft Security Bulletin MS04-009 - Critical

Published: March 09, 2004 | Updated: April 12, 2004

Version: 2.2

Issued: March 9, 2004
Updated: April 12, 2004
Version: 2.2

Who Should Read This Document:
Customers that are using Microsoft Office XP and Outlook 2002

Impact of Vulnerability:
Remote Code Execution

Maximum Severity Rating:
Critical

Recommendation:
Customers should apply the update immediately.

Security Update Replacement:
This update replaces the one that is provided in Microsoft Security Bulletin MS03-003.

Caveats:
None

Tested Software and Security Update Download Locations:

Affected Software

• Microsoft Office XP Service Pack 2- Download the update
• Microsoft Outlook 2002 Service Pack 2- Download the update

Note  An administrative update is also available; please see the Security Update Information section for more details.

Non Affected Software

• Microsoft Office 2000 Service Pack 3
• Microsoft Office XP Service Pack 3
• Microsoft Office 2003
• Microsoft Outlook 2000 Service Pack 3
• Microsoft Outlook 2002 Service Pack 3
• Microsoft Outlook 2003

The software listed above has been tested to determine if the versions are affected.  Other versions either no longer include security patch support or may not be affected.  Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version.

Technical description:

Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action.

In addition, Microsoft is making available an additional "client update" for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section.

A security vulnerability exists within Outlook 2002 that could allow Internet Explorer to execute script code in the Local Machine zone on an affected system. The parsing of specially crafted mailto URLs by Outlook 2002 causes this vulnerability. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page.

The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who successfully exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system. This code would run in the security context of the currently logged-on user. Outlook 2002 is available as a separate product and is also included as part of Office XP.

Mitigating factors:

• Users who read e-mail messages in plain text format in are at less risk from the HTML e-mail attack vector as they would need to click on a link in an e-mail message to be affected.
• If an attacker exploited this vulnerability, the attacker would gain only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges.

Severity Rating:

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2004-0121

Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below.

Do not use the "Outlook Today" folder home page in Outlook 2002

You can help protect against this vulnerability by turning off the "Outlook today" folder home page in Outlook 2002.

1. In the "Folder List" window of Outlook, right-click on "Outlook Today" or "Mailbox—[User Name]"
2. Select Properties for "Outlook Today" or "Mailbox—[User Name]"
3. Select "Home Page" tab
4. Uncheck "Show home page by default for this folder"
5. Repeat for all other "Folder List" items labeled "Outlook Today" or "Mailbox—[User Name]"

Impact of Workaround:

The "Outlook Today" folder home page would no longer be available.

If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector

Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-digitally-signed e-mail messages or non-encrypted e-mail messages in plain text only.

Digitally-signed e-mail messages and encrypted e-mail messages are not affected by the setting and may be read in their original formats.

See Microsoft Knowledge Base Article 307594 for information about how to enable this setting in Outlook 2002.

See Microsoft Knowledge Base Article 291387for information about how to enable this setting in Outlook Express 6.0

Impact of Workaround:

E-mail that is viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. Additionally:

• The changes are applied to the preview pane and to open messages.
• Pictures become attachments to avoid loss of message content.
• Because the message is still in Rich Text Format or in HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text Format or in HTML format in the mail store.

Why is Microsoft re-issuing this bulletin
Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector. The update released with the original version of this security bulletin is effective in protecting from the vulnerability and users who have applied the update or have installed Office XP Service Pack 3 do not need to take additional action.

In addition, Microsoft is making available an additional "client update" for customers on the Microsoft Download Center. This additional update does not contain new fixes or functionality, but is instead an additional offering of the update that provides an alternative for customers. More information on the client update is available in the Security Update Information section.

What is the scope of the vulnerability?
A privilege elevation vulnerability exists within Outlook 2002, and its handling of mailto URLs, that could allow Internet Explorer to execute script in the Local Machine Zone on an affected system. Outlook 2002 is available as a separate product and is also included as part of Office XP. An attacker who successfully exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system.

What causes the vulnerability?
The vulnerability is caused by the way a mailto URL is interpreted by Outlook 2002. By creating a specially formatted mailto URL it is possible to get Outlook 2002 to interpret the URL in a manner that could allow code execution.

What is a mailto URL?
The mailto URL scheme is defined in RFC 2368. The RFC states that "The mailto URL scheme is used to designate the Internet mailing address of an individual or service. In its simplest form, a mailto URL contains an Internet mail address. For greater functionality, because interaction with some resources may require message headers or message bodies to be specified as well as the mail address, the mailto URL scheme is extended to allow setting mail header fields and the message body."

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause Internet Explorer to execute script in the Local Machine Zone on an affected system. An attacker who exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system.

How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message.

What systems are primarily at risk from the vulnerability?
Users who use Outlook 2002 as their default e-mail client are primarily at risk from this vulnerability.

Is Office 2000 or Office 2003 affected by this vulnerability?
No. These versions have tested and have been found to not be affected by this vulnerability.

Are any versions of Outlook Express affected by this vulnerability?
No.  However, if Outlook 2002 is configured as the default e-mail reader on that system, reading a malicious HTML e-mail message with any version of Outlook Express could allow the malformed mailto URL to be passed to Outlook 2002.  For Outlook Express 6 Service Pack 1 or greater, reading e-mail message in plain text can be used as a work around for this type of attack.  For more information please see the Workarounds section in this document.

What does the update do?
The update modifies the way that the mailto URL is processed by Outlook 2002.

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, click the appropriate link:

Note  This update as well as many other updates to Office XP is included in Office XP Service Pack 3. Customers are encouraged to install Office XP Service Pack 3 at the earliest available opportunity.

Prerequisites Client Update

Important  Before you install this update, make sure that the following requirements have been met:

• Microsoft Windows Installer 2.0
• Before you install this update, you must install Windows Installer 2.0 or later. For additional information about this requirement, see the "Windows Installer Update Requirements" section of this bulletin.
• Office XP Service Pack 2 (SP-2)
• Before you install this update, install Office XP SP-2. For additional information about how to install Office XP Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base: 325671 OFFXP: Overview of the Office XP Service Pack 2

Inclusion in service packs:

This update issue is included in Office XP Service Pack 3.

Installation Information Client

This security update supports the following Setup switches:

These switches do not work with all update files. If a switch does not work, the functionality is necessary for that package.

/q             Specifies quiet mode, or suppresses prompts, when files are being extracted.
/q:u          Specifies user-quiet mode, which presents some dialog boxes to the user.
/q:a          Specifies administrator-quiet mode, which does not present any dialog boxes to the user.
/t:path      Specifies the target folder for extracting files.
/c              Extracts the files without installing them. If /t: path is not specified, you are prompted for a target folder.
/c:path      Specifies the path and name of the Setup .inf or .exe file.
/r:n            Never restarts the computer after installation.
/r:i             Prompts the user to restart the computer if a restart is required, except when used with /q:a.
/r:a            Always restarts the computer after installation.
/r:s            Restarts the computer after installation without prompting the user.
/n:v           No version checking - Install the program over any previous version.

Note  The use of the /n:v switch is unsupported and may result in an unbootable system. If the installation is unsuccessful, you should consult your support professional to understand why it fails. For more information, see the Internet Explorer Administration Kit (IEAK).

If you installed Outlook or Office from a CD-ROM:

• Install only the Microsoft Outlook 2002 Security Update: KB828040 by following the steps described later in this bulletin.

Deployment Information

1. Download the client version of the Outlook 2002 Security Update
2. Click Save to save the officexp-kb828040-client-enu.exe file to the selected folder.
3. In Windows Explorer, double-click officexp-kb828040-client-enu.exe.
4. If you are prompted to install the update, click Yes.
5. Click Yes to accept the License Agreement.
6. Insert your Office XP CD-ROM when you are prompted to do so, and then click OK.
7. When you receive a message that indicates the installation was successful, click OK. Note   After you install the update, you cannot remove it. To revert to an installation before the update was installed, you must remove Office XP, and then install it again from the original CD-ROM.

Restart Requirement

No Restart required.

Removal Information

This security update can not be uninstalled.

How to Determine Whether the Update Is Installed

To determine the version of Outlook that is installed on your computer, follow these steps.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1. Click Start, and then click Search.
2. In the Search Results pane, click All files and folders under Search Companion.
3. In the All or part of the file name box, type Outlook.exe, and then click Search.
4. In the list of files, right-click Outlook.exe, and then click Properties.
5. On the Version tab, determine the version of Outlook that is installed on your computer.

The English version of the update contains the following files:

Prerequisites Administrative Update

Windows Installer Update Requirements

To install the update that is described in this bulletin requires Windows Installer 2.0 or later. Both Microsoft Windows XP and Microsoft Windows 2000 Service Pack 3 (SP3) include Windows Installer 2.0 or later. To install the latest version of the Windows Installer, visit one of the following Microsoft Web sites.

• Windows Installer 2.0 Redistributable for Windows 95, 98, and Me 
• Windows Installer for Microsoft Windows NT 4.0 and Windows 2000

Inclusion in service packs:

This update issue is included in Office XP Service Pack 3.

Installation Information for the Update

If you installed your Office XP product from a server location, the server administrator must update the server location with the administrative update and deploy that update to your computer.

1. Download the administrative version of the Outlook 2002 Security Update.

2. Click Save to save the officexp-kb828040-fullfile-enu.exe file to the selected folder.

3. In Windows Explorer, double-click officexp-kb828040-fullfile-enu.exe.

4. If you are prompted to install the update, click Yes.

5. Click Yes to accept the License Agreement.

6. In the Type the location where you want to place the extracted files box, type c:\kb828040, and then click OK.

7. Click Yes when you are prompted to create the folder.

8. If you are familiar with the procedure for updating your administrative installation, click Start, and then click Run. Type the following command in the Open box

   msiexec /a Admin Path\MSI File /p C:\kb828040\MSP File SHORTFILENAMES=TRUE

   where Admin Path is the path to your administrative installation point for Office XP (for example, C:\OfficeXP), MSI File is the .msi database package for the Office XP product (for example, Proplus.msi), and MSP File is the name of the administrative update (for example, OUTLOOKff.msp).

   Note: You can append /qb+ to the command line so that the Office XP Administrative Installation dialog box and the End User License Agreement dialog box do not appear.

Deployment Information

To deploy the update to the client workstations, click Start, and then click Run. Type the following command in the Open box

msiexec /i Admin Path\MSI File REINSTALL=Feature List REINSTALLMODE=vomu

where Admin Path is the path to your administrative installation point for Office XP (for example, C:\OfficeXP), MSI File is the MSI database package for the Office XP product (for example, Proplus.msi), and Feature List is the list of feature names (case sensitive) that have to be reinstalled for the update. To install all features, you can use REINSTALL=ALL, or you can install the following feature(s):

OUTLOOKNonBootFiles, OUTLOOKFiles

For additional information about how to update your administrative installation and deploy to client workstations, click the following article number to view the article in the Microsoft Knowledge Base:

301348 OFFXP: How to Install a Public Update to an Administrative Installation

Restart Requirement

No Restart required.

Removal Information

This security update can not be uninstalled.

File Information

The English version of this update has the file attributes (or later) that are listed in the following table.

To determine the version of Outlook that is installed on your computer, follow these steps.

Note: Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1. Click Start, and then click Search.
2. In the Search Results pane, click All files and folders under Search Companion.
3. In the All or part of the file name box, type Outlook.exe, and then click Search.
4. In the list of files, right-click Outlook.exe, and then click Properties.
5. On the Version tab, determine the version of Outlook that is installed on your computer.

For additional information about how to determine the version of Outlook 2002 on your computer, click the following article number to view the article in the Microsoft Knowledge Base:

291331 HOW TO: Check the Version of Office XP

Note: If the Outlook 2002 Security Update: KB828040 is already installed on your computer, you receive the following error message when you try to install Outlook 2002 Security Update: KB828040:

This update has already been applied or is included in an update that has already been applied.

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

• iDefense and Jouko Pynnönen for reporting the issue described in MS04-009.

Obtaining other security updates:

Updates for other security issues are available from the following locations:

• Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Updates for consumer platforms are available from the Windows Update Web site.

Support:

• Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates.
• International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates.  Information on how to contact Microsoft support is available at the International Support Web Site.

Security Resources:

• The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
• Microsoft Software Update Services
• Microsoft Baseline Security Analyzer (MBSA)
• Windows Update
• Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog.
• Office Update

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site.  For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. Some software updates may require administrative rights following a restart of the computer.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (March 9, 2004): Bulletin published
• V2.0 (March 10, 2004): Bulletin updated to reflect on a revised severity rating of Critical and to advise of a new client update.
• V2.1 (March 10, 2004): Frequently Asked Question "What is the scope of the vulnerability?" updated.
• V2.2 (April 12, 2004): Bulletin updated to advise customer that this security update replaces MS03-003.

Built at 2014-04-18T13:49:36Z-07:00