Security Bulletin

Microsoft Security Bulletin MS01-038 - Critical

Outlook View Control Exposes Unsafe Functionality

Published: July 12, 2001 | Updated: June 13, 2003

Version: 2.3

Originally posted: July 12, 2001
Updated: June 13, 2003

Summary

Who should read this bulletin:
Customers using Microsoft® Outlook 2002, 2000, and 98.

Impact of vulnerability:
Outlook 2002: Run code of attacker's choice via either web page or HTML e-mail. Previous versions: manipulate user's folder view

Recommendation: 
Customers using Outlook 2002 should apply the patch immediately. Customers using Outlook 2000 should consider applying the patch.

Affected Software:

  • Microsoft Outlook 2002
  • Microsoft Outlook 2000
  • Microsoft Outlook 98

General Information

Technical details

Technical description:

On July 12, 2001, Microsoft released the original version of this bulletin, to advise customers of a vulnerability affecting Microsoft Outlook and to recommend that they temporarily use an administrative procedure to protect their systems. A patch that eliminates the vulnerability is now available. An updated version of the bulletin was released on August 16, 2001, to announce the availability of the patch and to advise customers that the administrative procedure is no longer needed.

The Microsoft Outlook View Control is an ActiveX control that allows Outlook mail folders to be viewed via web pages. The control should only allow passive operations such as viewing mail or calendar data. In reality, though, it exposes a function that could allow the web page to manipulate Outlook data. In an Outlook 2002 client, this could enable an attacker to delete mail, change calendar information, or take virtually any other action, including running arbitrary code on the user's machine. In contrast, in Outlook 98 and 2000 the attacker could use the control to manipulate the user's folder view, but could not use it to read, change or delete data, or to run code on the user's machine.

Hostile web sites would pose the greatest threat with respect to this vulnerability. If a user could be enticed into visiting a web page controlled by an attacker, script or HTML on the page could invoke the control when the page was opened. The script or HTML could then use the control to take whatever action the attacker desired, within the limits posed by the user's version of Outlook.

It also would be possible for the attacker to send an HTML e-mail to a user, with the intent of invoking the control when the recipient opened the mail. However, the Outlook E-mail Security Update would thwart such an attack. (The Update automatically installs as part of Outlook 2002, and is available for download for Outlook 2000 and 98). The Update causes HTML e-mails to be opened in the Restricted Sites Zone, where ActiveX controls are disabled by default.

Mitigating factors:

  • The risk posed by this vulnerability vary radically with the version of Outlook the user is running. In Outlook 2002, it would allow virtually any action to be taken on the user's computer. In previous versions, it would only allow an attacker to change the user's display options.
  • The newly-released Outlook E-mail Security Update that is integrated into Outlook 2002 would also prevent this vulnerability from being exploited via e-mail in all affected Outlook versions.
  • The vulnerability provides no capability for the attacker to force a user to visit a web page that exploits it.

Vulnerability identifier: CAN-2001-0538

Tested Versions:

Microsoft tested Outlook 2000 and 2002 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.

Frequently asked questions

Why is Microsoft re-releasing this bulletin?
The original version of the bulletin advised customers of a workaround procedure that could be used while a patch was under development. We have now completed the patch, and have re-released this bulletin to advise customers of its availability.

What's the scope of this vulnerability?
The scope of this vulnerabilty would vary significantly depending on the version of Outlook the user is running. If exploited against a user running Outlook 2002, it could enable an attacker to read or delete mail, change calendar or contact information, or take any other action possible though Outlook 2002, including running code on the user's machine. If exploited against a user running Outlook 2000 or 98, it could enable an attacker to change the user's display options in Outlook, but nothing more. In order to exploit the vulnerability, the attacker would need to either lure a user to a particular web site or send a specially-designed e-mail to the user. In the first scenario, the attacker couldn't compel the user to visit the site. In the second scenario, a security update that has been available for over a year would fully protect the user's system.

What causes the vulnerability?
The vulnerability results because an ActiveX control installed by Outlook 2002 exposes an unsafe function that could enable an attacker to run any desired code on another user's system.

What's ActiveX?
ActiveX is a technology that enables developers to write small programs called controls, that can be used by web pages, Visual Basic programs, and other applications. An ActiveX control performs a small number of related tasks, and can be used as building blocks in much more complex programs. Developers can build custom ActiveX controls; if this is done, the controls must be distributed to each user. However, Microsoft and many third-party software vendors ship ActiveX controls with their products, to enable these products to be easily extended. The vulnerability in this case involves an ActiveX control that installs by default as part of Outlook 2002, but also affects Outlook 98 and 2000.

What is the ActiveX control at issue here?
The control is called the Microsoft Outlook View Control. Its purpose is to allow information from Outlook to be displayed, usually within a web browser. For instance, using this control, a web page could show a user the contents of her Outlook inbox.

What's wrong with the control?
The control provides a function that could enable the web page to do more than simply display information for the user - it could enable it to take action within Outlook, including manipulating any of the user's Outlook data, such as mail, calendar information, contacts, and so forth.

What would this enable the attacker to do?
It would depend on the version of Outlook the user was running. An attacker who successfully exploited this vulnerability against an Outlook 2002 user could take virtually any action on the user's system. Examples include creating, deleting or changing mail, adding new appointments, modifying contacts, and potentially up to running arbitrary code on the user's machine. In contrast, an attacker who exploited the vulnerability against a user running Outlook 2000 or 98 wouldn't be able to take any serious action. The vulnerability would only allow the attacker to change how Outlook folders appear, but nothing more. It would provide no opportunity for the attacker to read, change or delete any data on the user's machine, or to run code on it.

How could the attacker exploit the vulnerability?
The attacker would need to create a web page that, when opened, would invoke the control and misuse the function we discussed above. The attacker would likely use either of two strategies to cause another user to open the page.

  • He could host the page on a web site he controlled. If a user visited the site and opened the web page, the page would attempt to invoke the control.
  • He could send the user a link to a malicious web page via e-mail. If the recipient clicked on the link, it would attempt to invoke the control on the malicious web site.

In both of the scenarios, you said the web page would attempt to invoke the control. What's the significance of the word "attempt"?
You can control whether web pages are allowed to invoke ActiveX controls. If you've configured your system to prevent this, the web page couldn't invoke the control, and the attacker couldn't exploit the vulnerability. In the original version of the bulletin, we recommended that customers protect their systems against the vulnerability by temporarily reconfiguring their systems to prevent web pages from invoking ActiveX controls. However, a patch is now available that eliminates the vulnerability altogether, and customers who apply it can safely return their systems to their previous configurations if they wish.

I'm a system administrator, and would like to enable ActiveX controls on all my users' machines after installing the patch. Can I do this?
Yes. The procedure to use depends on the operating system you're using: Windows 2000 networks using Active Directory. You can use Group Policy to automatically push the settings to all users the next time they log on. To do this, follow these steps:

  1. Create a Group Policy object at the Site, Domain or Organizational Unit level.
  2. Choose User Configuration | Windows Settings | Internet Explorer Maintenance | Security | Security Zones and Content Maintenance.
  3. Click the radio button titled "Import the current security zones settings", then click on "Modify Settings"
  4. Click on the icon labeled "Internet", then click the button labeled "Custom Level".
  5. Scroll down the list of settings until you find the one titled "Run ActiveX controls and plug-ins". Select "Enable", then click OK twice to return to the Group Policy dialogue.

All other operating systems. Use the IE Administration Kit's Profile Manager to create an update package with the desired security settings. Once this has been done, users can either use a URL or an AutoConfig URL (which would have been specified during the initial IE setup) to automatically update the settings. For more information on doing this, see https:.

I previously followed the workaround and disabled ActiveX control in the Internet Zone. I've now installed the patch. How do I undo the workaround?
To re-enable ActiveX controls in the Internet Zone, follow these instructions:

  1. In Internet Explorer, choose Tools, then Options.
  2. Select the Security tab
  3. Click on the icon labeled "Internet", then click the button labeled "Custom Level".
  4. Scroll down the list of settings until you find the one titled "Run ActiveX controls and plug-ins". Select "Enable", then click OK to return to the Options page.
  5. Click OK again to close the Options page.

If you chose to disable ActiveX in either the Intranet or Trusted Sites Zones and want to re-enable the setting, follow the instructions above but in Step 3 choose the icon labeled "Intranet" or "Trusted Sites", as appropriate.

I found that I liked running IE with ActiveX controls disabled. Do I have to re-enable the setting?
No. If you like the new settings, there's no reason why you must change them. However, we still recommend applying the patch, just in case you decide at some future point to re-enabled ActiveX controls.

How great a risk does the e-mail-borne scenario above pose?
If you've installed the Outlook E-mail Security Update, you're at no risk from the e-mail-borne scenario, as the Update causes HTML e-mail to be handled in the Restricted Sites Zone, where ActiveX controls are disabled by default. The Update is included by default in Outlook 2002. Just the same, we recommend that even customers using the Update or Outlook 2002 download and install the patch, to protect against the web-based scenario.

I'm running Outlook 98, but there isn't a patch for it. Why is this?
Outlook 98 is no longer supported. We recommend that customers using Outlook 98 either upgrade to a more recent version or continue operating with ActiveX controls disabled in the Internet Zone.

Doesn't this leave Outlook 98 users at risk??
No. Keep in mind that the only thing an attacker could do via this vulnerability against an Outlook 98 user would be to change the user's Outlook folder view. It couldn't be used to compromise data or control of the system in any way. In addition -- and in contrast to Outlook 2002 and 2000 -- the control at issue here doesn't ship as part of Outlook 98. The attacker would have to convince the user to download and install the control, and even then could only use it for an annoyance attack.

The Patch Availability section lists something called an Administrative Patch. What is this?
The administrative patch is a version of the patch that's packaged to allow it to be deployed throughout a network by an administrator. Microsoft Knowledge Base article Q303825 discusses how to deploy the administrative patch for Outlook 2002.

Patch availability

Download locations for this patch

Download locations for the Administrator version patch for Outlook 2002:

  • Visit the Microsoft Download Center for the Administrative Version of the Outlook 2002 Patch. Knowledge Base article Q303825 describes how to apply and deploy this administrative update.

    Note: There is no Administrative update available for Outlook 2000. For more information please see Knowledge Base article Q303833.

Additional information about this patch

Installation platforms:

The patch can be applied to Office 2000 SR-1 and SP-2 and Office XP Gold.

Inclusion in future service packs:

The fix for this issue will be included in Office XP Service Pack 1.

Reboot needed: No

Superseded patches: None.

Verifying patch installation:

  • Outlook 2002:
    • Help|About|Microsoft Outlook will display a version of 10.0.3117.
    • To verify the individual files, consult the file manifest in Knowledge Base article Q303825.
  • Outlook 2000:
    • To verify the individual files, consult the file manifest in Knowledge Base article Q303833.

Caveats:

None

Localization:

The Outlook 2002 patch can be used on all language versions. The Outlook 2000 patch will have all supported languages via the patch download page.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Support:

  • Microsoft Knowledge Base articles Q303833, Q303833, and Q303835 discussing this issue will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (July 12, 2001): Bulletin Created.
  • V2.0 (August 16, 2001): Bulletin updated to announce availability of patch.
  • V2.1 (August 17, 2001): Bulletin updated to clarify the differing impact of the vulnerability on Outlook 2002 versus Outlook 2000 and 98.
  • V2.2 (October 04, 2001): Bulletin updated to clarify the installation platforms and note that patch can be installed on Outlook 2000 SR-1
  • V2.3 (June 13, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00</https:>