Microsoft Security Bulletin (MS00-045) [forwarded from Microsoft Product Security]
John Ladwig
and 046 are all closely related.
-jml
]
------- start of forwarded message -------
From: Microsoft Product Security <secn...@MICROSOFT.COM>
To: MICROSOFT...@ANNOUNCE.MICROSOFT.COM
Subject: Microsoft Security Bulletin (MS00-045)
Date: Thu, 20 Jul 2000 18:42:04 -0700
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-045)
- --------------------------------------
Patch Available for "Persistent Mail-Browser Link" Vulnerability
Originally Posted: July 20, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability affecting Microsoft(r) Outlook Express. The
vulnerability could allow a malicious user to send an email that
would "read over the shoulder" of the recipient as he previews
subsequent emails in Outlook Express.
A patch is available that eliminates this vulnerability as well as
those discussed in Microsoft Security Bulletins MS00-043 and
MS00-046. Customers who already have taken the corrective action
discussed in either of these bulletins do not need to take any
additional action.
Frequently asked questions regarding this vulnerability and the
patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-045.asp
Issue
=====
By design, HTML mail can contain script, and among the actions such a
script can take is to open a browser window that links back to the
Outlook Express windows. Also by design, script in the browser window
could read the HTML mail that is displayed in Outlook Express.
However, a vulnerability results because the link could be made
persistent. This could allow the browser window to retrieve the text
of mails subsequently displayed in the preview pane, and relay it to
the malicious user.
There are several significant restrictions on this vulnerability:
- Only the recipient could open the HTML mail that established
the link.
- The attack would only persist until the user either closed
the browser window that the HTML mail opened, or closed
Outlook Express.
- The malicious user could only read mails that were displayed
in the preview pane. If the preview pane feature were
disabled, he could not read mails under any conditions.
The vulnerability is eliminated in Outlook Express 5.5, and customers
who have installed it do not need to take any additional action.
Outlook Express 5.5 is available as part of Internet Explorer 5.01
Service Pack 1, and, except when installed on Windows 2000, Internet
Explorer 5.5. A patch is available for customers who prefer not to
upgrade to Outlook Express 5.5.
Affected Software Versions
==========================
- Microsoft Outlook Express 4.0
- Microsoft Outlook Express 4.01
- Microsoft Outlook Express 5.0
- Microsoft Outlook Express 5.01
Patch Availability
==================
This vulnerability can be eliminated by taking any of the following
actions:
- Installing the patch available at
http://www.microsoft.com/windows/ie/download/critical/patch9.htm
- Performing a default installation of Internet Explorer 5.01
Service Pack 1,
http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.
- Performing a default installation of Internet Explorer 5.5
(http://www.microsoft.com/windows/ie/download/ie55.htm)
on any system except Windows 2000.
Note: The patch requires IE 4.01 SP2
(http://www.microsoft.com/windows/ie/download/ie401sp2.htm) or
IE 5.01 (http://www.microsoft.com/windows/ie/download/ie501.htm)
to install. Customers who install this patch on versions other
than these may receive a message reading "This update does not
need to be installed on this system". This message is incorrect.
More information is available in KB article Q261255.
Note: In addition to eliminating the vulnerability at issue
here, the steps above also eliminate all vulnerabilities
discussed in Microsoft Security Bulletins MS00-043
(http://www.microsoft.com/technet/security/bulletin/MS00-043.asp)
and MS00-046
(http://www.microsoft.com/technet/security/bulletin/MS00-046.asp).
Customers who already have taken the corrective action discussed
in either of these bulletins do not need to take any additional
action.
Note: Additional security patches are available at the Microsoft
Download Center (http://www.microsoft.com/downloads).
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-045,
http://www.microsoft.com/technet/security/bulletin/fq00-045.asp
- Microsoft Knowledge Base article Q261255 discusses this
vulnerability and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.
Revisions
=========
- June 20, 2000: Bulletin Created.
- ------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
Last Updated July 20, 2000
(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOXeqTo0ZSRQxA/UrAQEXpgf+KXXLTGkY1vx5cmf/PAWm2CzDOqmyxcke
rleJIaT2dXmSJ2YDBePWkz8IIlWGQWSg6+t1/mJl59F/AtRWC+5ig+dgU7N3je3C
UIeqp/sJY9tGDJ6z8NmoHMmvZWSwKe8cZTVqkQEaO3YJ6DAu+2LI2Mbw1FQLwESN
Pw1d4Tp9OWD8X5UElggo3LjwlBMkuOBDnsD5ONESRvYQvTh/tOkL3Bbfuj9NblTX
0amDX8CClsLl0+m9tzFZ99iyB3zvV/Cmj7saGacZtonRTfoRHQjsIQ+iQe6AUlzl
FIik/dQeNHda1xJKY1/ixaNQ+UPKjlPceLgKwFK6oQXicqOsMJABoA==
=HZyG
-----END PGP SIGNATURE-----
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURIT...@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
------- end of forwarded message -------