From secnotif@MICROSOFT.COM Sat Dec 8 11:49:08 2001 From: Microsoft Product Security To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM Date: Fri, 7 Dec 2001 19:15:28 -0800 Subject: Microsoft Security Bulletin MS01-057 (version 2.0) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Specially Formed Script in HTML Mail can Execute in Exchange 5.5 OWA Date: 06 December 2001 Revised: 07 December 2001 (version 2.0) Software: Microsoft Exchange 5.5 Server Outlook Web Access Impact: Run Code of Attacker's Choice Max Risk: Medium Bulletin: MS01-057 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-057.asp. - - - ---------------------------------------------------------------------- Reason for Revision: ==================== On December 6, 2001 Microsoft released the original version of this bulletin. On December 7, 2001 an issue relating to file dependencies for the patch was identified and the bulletin was updated and re-released to include this information. Specifically, for this patch to function properly, the Outlook Web Access (OWA) server on which the patch is installed must have Internet Explorer (IE) 5.0 or greater installed. If the patch is installed on a system with a version of IE older than 5.0, unexpected consequences may result. The "Caveats" section has been updated to include version requirements for this patch. In addition, it contains version recommendations for dependent components that are applicable at the time of this writing. In addition, the FAQ contains remediation information for customers who have applied this patch on systems with versions of IE older than 5.0. Issue: ====== Outlook Web Access (OWA) is a service of Exchange 5.5 Server that allows users to access and manipulate messages in their Exchange mailbox by using a web browser. A flaw exists in the way OWA handles inline script in messages in conjunction with Internet Explorer (IE). If an HTML message that contains specially formatted script is opened in OWA, the script executes when the message is opened. Because OWA requires that scripting be enabled in the zone where the OWA server is located, a vulnerability results because this script could take any action against the user's Exchange mailbox that the user himself was capable of, including sending, moving, or deleting messages. An attacker could maliciously exploit this flaw by sending a specially crafted message to the user. If the user opened the message in OWA, the script would then execute. While it is possible for a script to send a message as the user, it is impossible for the script to send a message to addresses in the user's address book. Thus, the flaw cannot be exploited for mass-mailing attacks. Also, mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits. If the maliciously crafted message were read in any mail client other than a browser through OWA, the attack would fail. Mitigating Factors: ==================== - A successful attack would require the victim to read the message in a IE using OWA only. The attack would fail if read in any other mail client. - A successful attack would also require knowledge of the version of OWA in use. The attack would fail on other versions of OWA. - A successful attack can only take action on the mailbox on the Exchange Server as the user. It cannot take action on the user's local machine. It cannot take actions on any other users mailbox directly. Nor can it take actions directly on the Exchange Server. Risk Rating: ============ - Internet systems: Moderate - Intranet systems: Moderate - Client systems: None Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms01-057.asp for information on obtaining this patch. Acknowledgment: =============== - Lex Arquette of WhiteHat Security (http://www.whitehatsec.com) - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPBGFso0ZSRQxA/UrAQEWHwf9G2/LR4CsBV2mzSmjKJeV6HkmK3FMFxJX HxNz5HgRaNbX7ZniySp3gBCP3+DW/q3Gw1u16VFluTFE1hfjaR2D43Sx7Ie1UP0N jEbdXRw7BtrD9lwFdSwI35tESjWev2x0Ap9ZfKEbtCjga1hQ5qHH4arJ2v6i2KUY 0dQQGMlIbj3U+wMcwwkzyv2pV+3pBRCVxbrwpUKm7N+b/JcXeU4BqwLzgQd5ZEAJ qvrw7WLZSQpRHG7eo8rINglgG4Bo7sN4hdAK8X86hr69ImJh6lQFMwaVYiAj880l 2IxIa7Dcg9m7pzN3nIcjbsdCw/KRKXmmVZObPe2kKi48PuYwsv7CSw== =Jp5G -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.