From secnotif@MICROSOFT.COM Wed Jun 6 23:15:36 2001 From: Microsoft Product Security To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM Date: Wed, 6 Jun 2001 17:30:09 -0700 Subject: Microsoft Security Bulletin MS01-030 The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Incorrect Attachment Handling in Exchange 2000 OWA Can Execute Script Date: 06 June 2001 Software: Microsoft Exchange 2000 Server Outlook Web Access Impact: Run code of attacker's choice Bulletin: MS01-030 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-030.asp. - ---------------------------------------------------------------------- Issue: ====== OWA is a service of Exchange 2000 Server that allows users to use a web browser to access their Exchange mailbox. However, a flaw exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script could take action against the user's Exchange mailbox. An attacker could use this flaw to construct an attachment containing malicious script code. The attacker could then send the attachment in a message to the user. If the user opened the attachment in OWA, the script would execute and could take action against the user's mailbox as if it were the user, including, under certain circumstances, manipulation of messages or folders. Mitigating Factors: ==================== - The vulnerability could only be exploited if the user were using OWA in conjunction with IE. - The vulnerability is only exploitable by attachments that are received via OWA. In general, an attacker would have no way to determine whether a user would open an attachment using OWA rather than an Outlook client. - An attacker's ability to exploit this vulnerability would require that she entice the user to open an attachment from an untrusted source. Best practices recommend against opening any attachment from an unknown or untrusted source. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-030.asp for information on obtaining this patch. Acknowledgment: =============== - Joao Gouveia (tharbad@kaotik.org) - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOx7LEY0ZSRQxA/UrAQEG+gf/YyYGSEvUIavnZrH+1rrj7KBitkI6hY+w 3Ztki4FqGCkE79wdXAcPupRWpfmVmaeY76EFTvWTK3JJtxgf0FbuuelSYoq4Qean ZfB0RPsRjaK9i5kh0tiaQ+gp/gfXU+hKqIqJKzYb9N+p4RSiw+7l193Xnuu5zgTi 3EWvPwSkZMIVgr9upT1f7rXZXVfB8qZ8bGMh3ukvr9wtCJ/6x0fVEGA3ePBcII9w 9dAt9HZPkVH7ewvnsLYTmHA6Dd66WFP03rAH0hzrJLJgbTKZtlgw+Y5AKdUEjQLU WmPRKfceWiqW/reA6ZNiObG0/Sn5jU/3Gj4Yt0QS8hchZin//c80bA== =tYq2 -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.