Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Automatic Script Execution Vulnerability In Outlook 2002, 2000
A vulnerability exists in Microsoft Outlook 2002 and Outlook 2000 that can let an attacker execute arbitrary script under the user’s security context on the vulnerable computer.
Ken Pfeil
April 26, 2002
2 Min Read
Reported April 25, 2002, byMicrosoft.
VERSIONS AFFECTED
Microsoft Outlook 2002
Microsoft Outlook 2000
DESCRIPTION
A vulnerability exists in Microsoft Outlook 2002 andOutlook 2000 that can let an attacker execute arbitrary script under theuser’s security context on the vulnerable computer. Thisvulnerability stems from a difference in the security settings that the systemapplies when displaying an email rather than editing one. When Outlook displaysan HTML-formatted email, Outlook applies Microsoft Internet Explorer’s (IE's)security zone settings that prevent the system from running scripts. But if theuser replies to or forwards this email and has selected Microsoft Word as theemail editor, Outlook opens the message and configures Word to be the editor forcreating email messages. Outlook doesn't block scripts in this mode. An attackercan exploit this vulnerability by sending a specially malformed HTML emailcontaining a script to an Outlook user who has Word enabled as the email editor.If the user replies to or forwards the email, the script runs and can take anyaction the user can take.
VENDOR RESPONSE
Thevendor, Microsoft, has released SecurityBulletin MS02-021to address this vulnerability and recommends that affected users apply theappropriate patch listed in the bulletin.
CREDIT
Discovered by Microsoft.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
