Automatic Script Execution Vulnerability In Outlook 2002, 2000

Reported April 25, 2002, by Microsoft.

VERSIONS AFFECTED

• Microsoft Outlook 2002

• Microsoft Outlook 2000

DESCRIPTION

A vulnerability exists in Microsoft Outlook 2002 and Outlook 2000 that can let an attacker execute arbitrary script under the user’s security context on the vulnerable computer. This vulnerability stems from a difference in the security settings that the system applies when displaying an email rather than editing one. When Outlook displays an HTML-formatted email, Outlook applies Microsoft Internet Explorer’s (IE's) security zone settings that prevent the system from running scripts. But if the user replies to or forwards this email and has selected Microsoft Word as the email editor, Outlook opens the message and configures Word to be the editor for creating email messages. Outlook doesn't block scripts in this mode. An attacker can exploit this vulnerability by sending a specially malformed HTML email containing a script to an Outlook user who has Word enabled as the email editor. If the user replies to or forwards the email, the script runs and can take any action the user can take.

VENDOR RESPONSE

The vendor, Microsoft, has released Security Bulletin MS02-021 to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.

CREDIT
Discovered by Microsoft.