Automatic Script Execution Vulnerability In Outlook 2002, 2000

Reported April 25, 2002, byMicrosoft.

VERSIONS AFFECTED

DESCRIPTION

A vulnerability exists in Microsoft Outlook 2002 andOutlook 2000 that can let an attacker execute arbitrary script under theuser’s security context on the vulnerable computer. Thisvulnerability stems from a difference in the security settings that the systemapplies when displaying an email rather than editing one. When Outlook displaysan HTML-formatted email, Outlook applies Microsoft Internet Explorer’s (IE's)security zone settings that prevent the system from running scripts. But if theuser replies to or forwards this email and has selected Microsoft Word as theemail editor, Outlook opens the message and configures Word to be the editor forcreating email messages. Outlook doesn't block scripts in this mode. An attackercan exploit this vulnerability by sending a specially malformed HTML emailcontaining a script to an Outlook user who has Word enabled as the email editor.If the user replies to or forwards the email, the script runs and can take anyaction the user can take.

VENDOR RESPONSE

Thevendor, Microsoft, has released SecurityBulletin MS02-021to address this vulnerability and recommends that affected users apply theappropriate patch listed in the bulletin.

CREDIT
Discovered by Microsoft.