[SECURITY-L] CAIS-Alerta: Vulnerabilidade no Outlook 2002 (828040)

CSIRT - UNICAMP security em unicamp.br
Qua Mar 10 10:08:23 -03 2004 

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no Outlook 2002 (828040)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 9 Mar 2004 17:13:41 -0300 (BRST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft
Security Bulletin MS04-009: Vulnerability in Microsoft Outlook Could Allow
Code Execution (828040)", que trata de uma vulnerabilidade presente no
Microsoft Outlook 2002 e no Microsoft Windows XP Service Pack 2 que pode
permitir a um atacante remoto a execucao de codigo arbitrario no contexto
 de seguranca "Local Machine" do Windows. A execucao de codigo nao
necessita da interacao do usuario para ocorrer.

Uma vulnerabilidade na maneira como o Outlook trata o conteudo do
parametro "mailto:" passado atraves de uma URI podem permitir a execucao
de script dentro da zona de seguranca "Local Machine" do Windows. O
problema acontece com a insercao da string """ em uma URI "mailto:",
seguida do comando ou script que o atacante deseja executar. Este comando
pode ser um paramentro de inicializacao do Oulook ou um script javascript.

Isto pode permitir ao atacante baixar programas maliciosos e executa-los
com acesso local a maquina.


Sistemas Afetados:

	. Microsoft Office XP Service Pack 2
	. Microsoft Outlook 2002 Service Pack 2


Sistemas nao Afetados:

	. Microsoft Office 2000 Service Pack 3
	. Microsoft Office XP Service Pack 3
	. Microsoft Office 2003
	. Microsoft Outlook 2000 Service Pack 3
	. Microsoft Outlook 2002 Service Pack 3
	. Microsoft Outlook 2003


Correcoes disponiveis:

A correcao consiste na aplicacao dos correspondentes patches recomendados
pela Microsoft e disponiveis em:

. Microsoft Office XP Service Pack 2
http://www.microsoft.com/office/ork/updates/xp/olk1007a.htm

. Microsoft Outlook 2002 Service Pack 2
http://www.microsoft.com/office/ork/updates/xp/olk1007a.htm


Maiores informacoes:

. Microsoft Security Bulletin MS04-009
http://www.microsoft.com/technet/security/Bulletin/MS04-009.mspx

. iDEFENSE Security Advisory 03.09.04
http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities


Identificadores do CVE (http://cve.mitre.org): CAN-2004-0121


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################

Microsoft Security Bulletin MS04-009
Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)

Issued: March 9, 2004
Version: 1.0
Summary
Who Should Read This Document: Customers that are using Microsoft® Office XP and Outlook 2002
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Recommendation: Customers should install the patch at the earliest opportunity.
Security Update Replacement: None
Caveats: None
Tested Software and Security Update Download Locations:


Affected Software

Microsoft Office XP Service Pack 2- Download the update
Microsoft Outlook 2002 Service Pack 2- Download the update

Non Affected Software

Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003
Microsoft Outlook 2000 Service Pack 3
Microsoft Outlook 2002 Service Pack 3
Microsoft Outlook 2003

The software listed above has been tested to determine if the versions are
affected.  Other versions either no longer include security patch support
or may not be affected.  Please review the Microsoft Support Lifecycle Web
site to determine the support lifecycle for your product and version.
Top of section
General Information

Technical details

Technical description:

A security vulnerability exists within Outlook 2002 that could allow
Internet Explorer to execute script code in the Local Machine zone on an
affected system. The parsing of specially crafted mailto URLs by Outlook
2002 causes this vulnerability. To exploit this vulnerability, an attacker
would have to host a malicious Web site that contained a Web page designed
to exploit the vulnerability and then persuade a user to view the Web
page.

The attacker could also create an HTML e-mail message designed to exploit
the vulnerability and persuade the user to view the HTML e-mail message.
After the user has visited the malicious Web site or viewed the malicious
HTML e-mail message an attacker who successfully exploited this
vulnerability could access files on a user's system or run arbitrary code
on a user's system. This code would run in the security context of the
currently logged-on user. Outlook 2002 is available as a separate product
and is also included as part of Office XP.

Mitigating factors:

When an Outlook profile is first created and at least one e-mail account
is set up during the initial configuration of the profile the default
folder home page is automatically changed from "Outlook Today" to "Inbox."

Users are only at risk from this vulnerability when the "Outlook Today"
home page is their default folder home page. This is the default
configuration when an Outlook profile is created without any e-mail
accounts.

Users are only at risk from this vulnerability when Outlook 2002 is
configured as the default mail reader and when the "Outlook Today" home
page is their default folder home page. Installing other e-mail clients
may change this configuration as they can register themselves as the
default mail reader on the system.

If an attacker exploited this vulnerability, the attacker would gain only
the same privileges as the user. Users whose accounts are configured to
have few privileges on the system would be at less risk than users who
operate with administrative privileges.

Severity Rating:

Microsoft Office XP


Important

Microsoft Outlook 2002


Important

The above assessment is based on the types of systems that are affected by
the vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2004-0121
Top of section

Workarounds

Microsoft has tested the following workarounds. These workarounds will not
correct the underlying vulnerability. However, they help block known
attack vectors. Workarounds may reduce functionality in some cases; in
such cases, the reduction in functionality is identified below.

Do not use "Outlook Today" as the default home page in Outlook 2002

You can help protect against this vulnerability by changing your default
folder home page in Outlook 2002 to the "Inbox" or some other folder than
"Outlook Today". The "Outlook Today" home page is only the default folder
home page when an Outlook profile is originally configured without any
e-mail accounts.

1.


In Outlook 2002, click Options in the Tools menu.

2.


Under the tab Other choose Advanced Options.

3.


Set your "Startup in this folder:" to Inbox if it is set to Outlook Today.

Impact of Workaround:

The "Outlook Today" folder home page would not be the default view.

If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read
e-mail messages in plain text format to help protect yourself from the
HTML e-mail attack vector

Microsoft Outlook 2002 users who have applied Service Pack 1 or later and
Outlook Express 6.0 users who have applied Service Pack 1 or later can
enable a feature that will enable them to view all non-digitally-signed
e-mail messages or non-encrypted e-mail messages in plain text only.

Digitally-signed e-mail messages and encrypted e-mail messages are not
affected by the setting and may be read in their original formats.

See Microsoft Knowledge Base Article 307594 for information about how to
enable this setting in Outlook 2002.

See Microsoft Knowledge Base Article 291387for information about how to
enable this setting in Outlook Express 6.0

Impact of Workaround:

E-mail that is viewed in plain text format cannot contain pictures,
specialized fonts, animations, or other rich content. Additionally:

The changes are applied to the preview pane and to open messages.

Pictures become attachments to avoid loss of message content.

Because the message is still in Rich Text Format or in HTML format in the
store, the object model (custom code solutions) may behave unexpectedly
because the message is still in Rich Text Format or in HTML format in the
mail store.

Acknowledgments

Microsoft thanks the following for working with us to help protect
customers:

iDefense and Jouko Pynnönen for reporting the issue described in MS04-009.

Obtaining other security updates:

Updates for other security issues are available from the following
locations:

Security updates are available from the Microsoft Download Center, and can
be most easily found by doing a keyword search for "security_patch".

Updates for consumer platforms are available from the Windows Update Web
site.

Support:

Technical support is available from Microsoft Product Support Services at
1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge
for support calls that are associated with security updates.

International customers can get support from their local Microsoft
subsidiaries. There is no charge for support associated with security
updates.  Information on how to contact Microsoft support is available at
the International Support Web Site.

Security Resources:

The Microsoft TechNet Security Web Site provides additional information
about security in Microsoft products.

Microsoft Software Update Services

Microsoft Baseline Security Analyzer (MBSA)

Windows Update

Windows Update Catalog: Please view Knowledge Base Article 323166 for more
information on the Windows Update Catalog.

Office Update

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security
update. For information about Systems Management Server visit the SMS Web
Site.  For detailed information about the many enhancements to the
security update deployment process that SMS 2003 provides, please visit
the SMS 2003 Security Patch Management Web site. Some software updates may
require administrative rights following a restart of the computer.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.

Revisions:

V1.0 (March 9, 2004): Bulletin published

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQE4lfukli63F4U8VAQFDhgP8CZ7g5FCw3UwH4iVUu8ltgoTl3c0yFm2k
+8HoYMx/6nNCC2SRKq28vvqv0Wd6J6IJ5+MLvLJjhzLdKK+PM9rQfOgYmX1oR9E0
eTmxpfGRe15aWbqjETkGW6CTQQBjKteyx4VhC9OZMHtTBtIemYKoK3QJ6yOxFrFy
pSNvLt/L3fU=
=sfKB
-----END PGP SIGNATURE-----


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L